Bug#483756: insist ssh-vulnkey -a be run by the administrator upon upgrade
On Fri, May 30, 2008 at 05:56:19PM -0700, Suresh Ramasubramanian wrote:
> Colin Watson [31/05/08 00:31 +0100]:
> >Sure, but that's a problem with *their* machine (i.e. it allows access
> >from unauthorised persons) rather than a problem with your machine. The
> >sshd blacklisting will prevent this problem on their side - you might
> >send them an updated key but you won't be able to log in with it.
>
> Not allowed access as much as "found a compromised key in ~/.ssh and warned
> him".
Having a compromised key in ~/.ssh/authorized_keys (if that's what it
was) is effectively equivalent to allowing access to that account from
the entire Internet.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: