[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#490883: openssh-server: logs some keys to /var/log/auth.log which is world readabl

On Tuesday 15 July 2008 02:11:52 Bernhard R. Link wrote:
> * Nico Golde <nion@debian.org> [080715 10:10]:
> > > Ok, key have error, but it is probably one letter, or some whitespaces.
> > > Ok, it is public key, but sshd shouldn't log it anyway.
> >
> > The public key is no sensitive data, I see no problem doing
> > this.
> 
> I want to contradict here. The public key contains all the information
> needed to login, just garbled enough to make it extremly hard to use
> this information. So it is a somewhat similar equivalence class like
> the hashed password in /etc/shadow: If it is possible to keep it
> secret, do so.

/etc/shadow contains (salted) hashes of plaintext passwords.  This means that 
access to /etc/shadow allows an off-line dictionary attack, taking advantage 
of the limited keyspace of plaintext passwords.  In contrast, recovering a 
private key from a public key requires a search of the much larger space of 
possible private keys.

--Mark Voorhies
mvoorhie@yahoo.com
Reply to: