Bug#657448: marked as done (gitolite: openssh-server bug leaks configured gitolite usernames to client)

[Debian Bug Tracking System]

Your message dated Fri, 27 Jan 2012 11:22:47 +0100
with message-id <20120127102247.ga20...@anguilla.debian.or.at>
and subject line Re: Bug#657448: gitolite: openssh-server bug leaks configured 
gitolite usernames to client
has caused the Debian Bug report #657448,
regarding gitolite: openssh-server bug leaks configured gitolite usernames to 
client
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
657448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657448
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: gitolite
Severity: normal

Dear Maintainer,

Gitolite users should be aware, that some or all configured usernames
show up in the debug output of any ssh client, depending on the
position of the accessing user's forced command in the gitolite
authorized_keys configuration.

e.G. if the public key of user "foo" is at position 4 in the
authorized keys file, he can see the configured usernames
1-4, when using "ssh -v gitolite@server". If his key is at
the end of the authorized_keys file, he can obtain _all_
configured usernames.

For Details and example, see the original openssh-server bug entry:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445

--- End Message ---

--- Begin Message ---

affects 657445 gitolite
thanks

* Bjoern Buerger <b...@pengutronix.de> [2012-01-26 12:21:41 CET]:
> Gitolite users should be aware, that some or all configured usernames
> show up in the debug output of any ssh client, depending on the
> position of the accessing user's forced command in the gitolite
> authorized_keys configuration.

 Thanks for the notice - though, there is nothing gitolite can do about
it and it is no bug in gitolite.  It is a bug in openssh-server, and
thus I am marking the bug you mentioned as affecting gitolite and close
this one.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

--- End Message ---