Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys
Package: openssh-server
Version: 1:9.2p1-2+deb12u3
Severity: normal
X-Debbugs-Cc: sa-dev@odd.systems
Dear Maintainer,
When an SSH client connects with the `-v` option for verbose logging,
the OpenSSH server discloses the full path to the `authorized_keys` file
and specific key options in use. This information is exposed in the
debug logs during the handshake process:
debug1: Remote: /...path.../authorized_keys:1: key options: command
debug1: Remote: /...path.../authorized_keys:1: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
This behavior can undermine the security of a restricted shell setup by
revealing sensitive configuration details.
Steps to Reproduce:
1. Connect to the SSH server using an SSH client with the `-v` option.
2. Observe the debug output revealing the full path and key options.
Expected Behavior:
The server should not disclose sensitive information such as file paths
or specific key options in verbose logs, preserving configuration
confidentiality.
Thank you for addressing this issue.
-- System Information:
Debian Release: 12.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-25-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.134
ii debconf [debconf-2.0] 1.5.82
ii init-system-helpers 1.65.2
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u8
ii libcom-err2 1.47.0-2
ii libcrypt1 1:4.4.33-2
ii libgssapi-krb5-2 1.20.1-2+deb12u2
ii libkrb5-3 1.20.1-2+deb12u2
ii libpam-modules 1.5.2-6+deb12u1
ii libpam-runtime 1.5.2-6+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii libselinux1 3.4-1+b6
ii libssl3 3.0.14-1~deb12u2
ii libsystemd0 252.30-1~deb12u2
ii libwrap0 7.6.q-32
ii lsb-base 11.6
ii openssh-client 1:9.2p1-2+deb12u3
ii openssh-sftp-server 1:9.2p1-2+deb12u3
ii procps 2:4.0.2-3
ii runit-helper 2.15.2
ii sysvinit-utils [lsb-base] 3.06-4
ii ucf 3.0043+nmu1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 252.30-1~deb12u2
ii xauth 1:1.1.2-1
Reply to: