https://bugzilla.mindrot.org/show_bug.cgi?id=2042
Janne Ruohomäki <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Janne Ruohomäki <[email protected]> --- I seriously think that this issue is way too severe to sit idling for 10 years. https://github.com/openssh/openssh-portable/blob/acb2059febaddd71ee06c2ebf63dcf211d9ab9f2/auth2-pubkeyfile.c#L453 https://github.com/openssh/openssh-portable/blob/f5ba85daddfc2da6a8dab6038269e02c0695be44/auth2-pubkey.c#L599 All error messages related to read access to users authorized_keys file are sent to /dev/null with any sensible production log level. Not only this makes diagnostics of pubkey authentication credential issues, it also hides potential brute force attacks as there's no sensible output in the log files about failed authentication attempts. Now, as the users authorized_keys file is in users control, including filesystem access rights and potentially excluding selinux settings, this can make considerable mess. Additionally, there have been problems in several distros breaking pubkey authentication via messing with selinux configs for authorized_keys file on larger scale. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658675 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/965663 All it takes to fix this, is change those log levels in auth2-pubkeyfile.c and auth2-pubkey.c to Warning or Error. I would suggest Error as a correct log level for "Could not open %s '%s': %s" messages because: 1) It directly affects authentication by leaving out configuration 2) The configuration left out is explicitly put in place meant to be used 3) If not written to log, it masks brute force attacks against certain user accounts, if read access to config file in control of non-root user is denied. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
