[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Report a bug relative ssh key exchange.

By the way, bugs are usually reported using the tool reportbug. That way
your message ends up in the Debian Bug Tracking System (BTS). You sent
your mail to a mailing list for users of Debian. Maintainers of Debian
packages (who are responsible for dealing with their packages' problems)
don't necessarily read this list.

Alberto Bravi:
> I found a dangerous bug about ssh with key exchange.

I'd say if it is a bug at all, it is a bug in the webserver you are
running, not in OpenSSH.

> If I create a directory ".ssh", for the user "www-data", in his home
> that is usually, "/var/www/", i can log in the computer with: "ssh
> www-data@computer"

(I guess you meant to say that creating SSH keys in a directory which is
usually readable by everyone over the internet is a bad idea.)

Then either change www-data's home directory or don't create keys for
this user in the first place.

I agree that this is quite a serious pitfall, but every component
involved works as designed. I don't know the reasons for www-data using
its document root as home directory, but I guess there are some.

You can around that problem by either changing /var/www's permissions or
by disallowing access to the location /.ssh in your webserver.

I can tell a Whopper[tm] from a BigMac[tm] and Coke[tm] from Pepsi[tm].
[Agree]   [Disagree]

Attachment: signature.asc
Description: Digital signature

Reply to: