Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl
Package: openssh-server
Version: 1:4.3p2-9etch2
Severity: grave
Tags: security
Justification: user security hole
(orginal key removed)
Jul 13 15:55:34 tytus sshd[24909]: error: key_read: uudecode AAAAB3NzaC1XXXXXXXX
........XXXXXXXRvB4h==\n failed
Jul 13 15:55:36 tytus sshd[24909]: Accepted password for johnybravo from 10.0.1.1 port
49186 ssh2
Ok, key have error, but it is probably one letter, or some whitespaces.
Ok, it is public key, but sshd shouldn't log it anyway.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (1001, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Versions of packages openssh-server depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.11etch1 Debian configuration management sy
ii dpk 1.13.25 package maintenance system for Deb
ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii lib 0.79-5 Pluggable Authentication Modules f
ii lib 0.79-5 Runtime support for the PAM librar
ii lib 0.79-5 Pluggable Authentication Modules l
ii lib 1.32-3 SELinux shared libraries
ii lib 0.9.8c-4etch3 SSL shared libraries
ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii ope 0.1.1 list of blacklisted OpenSSH RSA an
ii ope 1:4.3p2-9etch2 Secure shell client, an rlogin/rsh
ii zli 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
* ssh/vulnerable_host_keys:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Reply to: