Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys
From: Alexander Kulak <sa-dev@odd.systems>
Date: Wed, 20 Nov 2024 17:44:12 +0300
Message-id: <[🔎] 173211385257.3399395.18044183870038197270.reportbug@localhost.localdomain>
Reply-to: Alexander Kulak <sa-dev@odd.systems>, 1087936@bugs.debian.org

Package: openssh-server
Version: 1:9.2p1-2+deb12u3
Severity: normal
X-Debbugs-Cc: sa-dev@odd.systems

Dear Maintainer,

When an SSH client connects with the `-v` option for verbose logging,
the OpenSSH server discloses the full path to the `authorized_keys` file
and specific key options in use. This information is exposed in the
debug logs during the handshake process:

debug1: Remote: /...path.../authorized_keys:1: key options: command
debug1: Remote: /...path.../authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding

This behavior can undermine the security of a restricted shell setup by
revealing sensitive configuration details.

Steps to Reproduce:
1. Connect to the SSH server using an SSH client with the `-v` option.
2. Observe the debug output revealing the full path and key options.

Expected Behavior:
The server should not disclose sensitive information such as file paths
or specific key options in verbose logs, preserving configuration
confidentiality.

Thank you for addressing this issue.


-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-25-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+deb12u8
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u2
ii  libkrb5-3                  1.20.1-2+deb12u2
ii  libpam-modules             1.5.2-6+deb12u1
ii  libpam-runtime             1.5.2-6+deb12u1
ii  libpam0g                   1.5.2-6+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.14-1~deb12u2
ii  libsystemd0                252.30-1~deb12u2
ii  libwrap0                   7.6.q-32
ii  lsb-base                   11.6
ii  openssh-client             1:9.2p1-2+deb12u3
ii  openssh-sftp-server        1:9.2p1-2+deb12u3
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.2.13.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.30-1~deb12u2
ii  xauth                    1:1.1.2-1

Reply to:

Follow-Ups:
- Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#1087644: openssh-server: no tty associated with login session
Next by Date: Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys
Previous by thread: Bug#1072184: openssh-server: Please stop writing /var/log/btmp
Next by thread: Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys
Index(es):
- Date
- Thread