Bug#1087936: openssh-server: sshd reveals sensitive key options from authorized_keys
On Wed, Nov 20, 2024 at 05:44:12PM +0300, Alexander Kulak wrote:
> When an SSH client connects with the `-v` option for verbose logging,
> the OpenSSH server discloses the full path to the `authorized_keys` file
> and specific key options in use. This information is exposed in the
> debug logs during the handshake process:
>
> debug1: Remote: /...path.../authorized_keys:1: key options: command
> debug1: Remote: /...path.../authorized_keys:1: key options:
> agent-forwarding port-forwarding pty user-rc x11-forwarding
>
> This behavior can undermine the security of a restricted shell setup by
> revealing sensitive configuration details.
>
> Steps to Reproduce:
> 1. Connect to the SSH server using an SSH client with the `-v` option.
> 2. Observe the debug output revealing the full path and key options.
>
> Expected Behavior:
> The server should not disclose sensitive information such as file paths
> or specific key options in verbose logs, preserving configuration
> confidentiality.
Would you mind please reporting this upstream? See
https://www.openssh.com/report.html for instructions.
Sometimes I do this myself, but in cases where I don't entirely agree
with parts of the bug report, it's better for people to do it themselves
so that they can have a direct discussion with upstream as needed. (In
particular, I'm personally not quite convinced that paths to
authorized_keys files really count as sensitive configuration details,
though I can see that you might consider key options to be.)
Thanks,
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: