Bug#1058899: openssh-client: ssh-copy-id should warn on command= when copying pub key
Package: openssh-client
Version: 1:9.5p1-2
Severity: normal
Tags: upstream
https://blog.thc.org/infecting-ssh-public-keys-with-backdoors
The above web page describes how to exploit systems via the athorized_keys
file and purports to describe how to hide backdoors in ~/.ssh/id_*.pub, the
only way that second claim could be valid is by using ssh-copy-if to blindly
copy a .pub file that has the command= string in question installed.
To address this sort of thing (and also to prevent needless confusion from
less hostile uses of command=) I think ssh-copy-id should either warn about
the use of command= in the source file or copy a sanitised version unless
explicitely told to copy that with an optional parameter.
-- System Information:
Debian Release: trixie/sid
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-5-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages openssh-client depends on:
ii adduser 3.137
ii libc6 2.37-13
ii libedit2 3.1-20230828-1
ii libfido2-1 1.14.0-1
ii libgssapi-krb5-2 1.20.1-5
ii libselinux1 3.5-1+b1
ii libssl3 3.1.4-2
ii passwd 1:4.13+dfsg1-3
ii zlib1g 1:1.3.dfsg-3
Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1
Versions of packages openssh-client suggests:
pn keychain <none>
ii ksshaskpass [ssh-askpass] 4:5.27.9-1
pn libpam-ssh <none>
pn monkeysphere <none>
-- debconf-show failed
Reply to: