[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#490883: marked as done (openssh-server: logs some keys to /var/log/auth.log which is world readabl)

Your message dated Tue, 15 Jul 2008 01:10:04 +0200
with message-id <20080714231003.GB3642@patate.is-a-geek.org>
and subject line Re: Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl
has caused the Debian Bug report #490883,
regarding openssh-server: logs some keys to /var/log/auth.log which is world readabl
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
490883: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490883
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:4.3p2-9etch2
Severity: grave
Tags: security
Justification: user security hole

(orginal key removed)

Jul 13 15:55:34 tytus sshd[24909]: error: key_read: uudecode AAAAB3NzaC1XXXXXXXX
........XXXXXXXRvB4h==\n failed
Jul 13 15:55:36 tytus sshd[24909]: Accepted password for johnybravo from 10.0.1.1 port
 49186 ssh2


Ok, key have error, but it is probably one letter, or some whitespaces.
Ok, it is public key, but sshd shouldn't log it anyway.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (1001, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)

Versions of packages openssh-server depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.11etch1                          Debian configuration management sy
ii  dpk 1.13.25                              package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 0.79-5                               Pluggable Authentication Modules f
ii  lib 0.79-5                               Runtime support for the PAM librar
ii  lib 0.79-5                               Pluggable Authentication Modules l
ii  lib 1.32-3                               SELinux shared libraries
ii  lib 0.9.8c-4etch3                        SSL shared libraries
ii  lib 7.6.dbs-13                           Wietse Venema's TCP wrappers libra
ii  ope 0.1.1                                list of blacklisted OpenSSH RSA an
ii  ope 1:4.3p2-9etch2                       Secure shell client, an rlogin/rsh
ii  zli 1:1.2.3-13                           compression library - runtime

openssh-server recommends no packages.

-- debconf information:
* ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

--- End Message ---
--- Begin Message --- 
/var/log/auth.log is root:adm 640.

Cheers,
Julien

--- End Message ---
Reply to: