By the way, bugs are usually reported using the tool reportbug. That way
your message ends up in the Debian Bug Tracking System (BTS). You sent
your mail to a mailing list for users of Debian. Maintainers of Debian
packages (who are responsible for dealing with their packages' problems)
don't necessarily read this list.
Alberto Bravi:
>
> I found a dangerous bug about ssh with key exchange.
I'd say if it is a bug at all, it is a bug in the webserver you are
running, not in OpenSSH.
> If I create a directory ".ssh", for the user "www-data", in his home
> that is usually, "/var/www/", i can log in the computer with: "ssh
> www-data@computer"
(I guess you meant to say that creating SSH keys in a directory which is
usually readable by everyone over the internet is a bad idea.)
Then either change www-data's home directory or don't create keys for
this user in the first place.
I agree that this is quite a serious pitfall, but every component
involved works as designed. I don't know the reasons for www-data using
its document root as home directory, but I guess there are some.
You can around that problem by either changing /var/www's permissions or
by disallowing access to the location /.ssh in your webserver.
J.
--
I can tell a Whopper[tm] from a BigMac[tm] and Coke[tm] from Pepsi[tm].
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature