Re: Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl
* Nico Golde <nion@debian.org> [080715 10:10]:
> > Ok, key have error, but it is probably one letter, or some whitespaces.
> > Ok, it is public key, but sshd shouldn't log it anyway.
>
> The public key is no sensitive data, I see no problem doing
> this.
I want to contradict here. The public key contains all the information
needed to login, just garbled enough to make it extremly hard to use
this information. So it is a somewhat similar equivalence class like
the hashed password in /etc/shadow: If it is possible to keep it
secret, do so.
While it is called "public", there is AFAIK nothing in ssh protocoll
causing this to be needed anywhere. (I think sshd sends the fingerprint,
but not the public key). So keeping the public key secret, too, is an
additional minimal security benefit. (Which might only cause an real
impact if someone finds a efficient way to calculate the private from
the public key, but in this rare event it would make an elementary
difference).
> Besides that on a normal Debian installation this file
> is only readable for root and members of the adm group.
I think this is the important point here making this unproblematic.
Hochachtungsvoll,
Bernhard R. Link
--
"Never contain programs so few bugs, as when no debugging tools are available!"
Niklaus Wirth
Reply to: