Your message dated Tue, 15 Jul 2008 01:10:04 +0200 with message-id <20080714231003.GB3642@patate.is-a-geek.org> and subject line Re: Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl has caused the Debian Bug report #490883, regarding openssh-server: logs some keys to /var/log/auth.log which is world readabl to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 490883: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490883 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server: logs some keys to /var/log/auth.log which is world readabl
- From: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
- Date: Tue, 15 Jul 2008 00:59:57 +0200
- Message-id: <[🔎] 20080714225957.30452.98290.reportbug@tytus.smp.if.uj.edu.pl>
Package: openssh-server Version: 1:4.3p2-9etch2 Severity: grave Tags: security Justification: user security hole (orginal key removed) Jul 13 15:55:34 tytus sshd[24909]: error: key_read: uudecode AAAAB3NzaC1XXXXXXXX ........XXXXXXXRvB4h==\n failed Jul 13 15:55:36 tytus sshd[24909]: Accepted password for johnybravo from 10.0.1.1 port 49186 ssh2 Ok, key have error, but it is probably one letter, or some whitespaces. Ok, it is public key, but sshd shouldn't log it anyway. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (1001, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Versions of packages openssh-server depends on: ii add 3.102 Add and remove users and groups ii deb 1.5.11etch1 Debian configuration management sy ii dpk 1.13.25 package maintenance system for Deb ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries ii lib 0.79-5 Pluggable Authentication Modules f ii lib 0.79-5 Runtime support for the PAM librar ii lib 0.79-5 Pluggable Authentication Modules l ii lib 1.32-3 SELinux shared libraries ii lib 0.9.8c-4etch3 SSL shared libraries ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii ope 0.1.1 list of blacklisted OpenSSH RSA an ii ope 1:4.3p2-9etch2 Secure shell client, an rlogin/rsh ii zli 1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information: * ssh/vulnerable_host_keys: ssh/new_config: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false
--- End Message ---
--- Begin Message ---
- To: Witold Baryluk <baryluk@smp.if.uj.edu.pl>, 490883-done@bugs.debian.org
- Subject: Re: Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl
- From: Julien Cristau <jcristau@debian.org>
- Date: Tue, 15 Jul 2008 01:10:04 +0200
- Message-id: <20080714231003.GB3642@patate.is-a-geek.org>
- In-reply-to: <[🔎] 20080714225957.30452.98290.reportbug@tytus.smp.if.uj.edu.pl>
- References: <[🔎] 20080714225957.30452.98290.reportbug@tytus.smp.if.uj.edu.pl>
/var/log/auth.log is root:adm 640. Cheers, Julien
--- End Message ---