[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl

On Tue, Jul 15, 2008 at 12:27:13AM +0100, Stephen Gran wrote:
> This one time, at band camp, Witold Baryluk said:
> > (orginal key removed)
> > 
> > Jul 13 15:55:34 tytus sshd[24909]: error: key_read: uudecode AAAAB3NzaC1XXXXXXXX
> > ........XXXXXXXRvB4h==\n failed
> > Jul 13 15:55:36 tytus sshd[24909]: Accepted password for johnybravo from 10.0.1.1 port
> >  49186 ssh2
> > 
> > Ok, key have error, but it is probably one letter, or some whitespaces.
> > Ok, it is public key, but sshd shouldn't log it anyway.
> 
> -rw-r----- 1 root adm 34858 2008-07-15 00:17 /var/log/auth.log
> 
> If your auth.log is world readable, something is wrong on your system.
> auth.log is designed exactly for information like this, and is designed
> to be relatively secret on purpose.
> 
> Given that, I'm not convinced this is actually a bug at all, but I'll
> leave that decision to the maintainers - I'm just going to lower the
> severity.

And, of course, the key is public anyway. Public means public no matter
how much you say "shouldn't log it anyway"; note that anyone who can
read auth.log can also simply read the user's authorized_keys file.

In short, I agree - it's not a bug. Julien Cristau already closed this
one.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: