On Sat, Jan 15, 2005 at 11:06:21AM +0100, Mathieu Roy wrote: > Sylvain Beucler <[EMAIL PROTECTED]> tapota : > > > Hello, > > > > James E. Blair, the FSF system administrator, insist on sanitizing the > > authorized_keys files. > > > > Put it another way, we would check that what the user enters in the > > SSH keys fields, matches the OpenSSH format for protocol either > > version 1 and 2. Or only version 2 if we don't need to support version > > 1. Note that we don't support all versions of SSH anyway; I saw that > > apparently the 'ssh2' (proprietary) package from Debian uses another > > format that look more like a GPG key (header and multiples lines). > > > > There are not many version of the authorized_keys format, so the > > maintainance would not be tedious. As far as improvements are > > concerned, we gain a little bit in security (ie if authorized_keys > > were exploited a day), and we could tell the user when his key is not > > valid straight away. > > > > So, indepently of James' point of view, I think this feature is worth > > adding. What do you think? > > > - - I think that if someone is willing to implement it, it must be done in > the *frontend* first. Having the backend trying to insert keys every 4 > hours, without the user even knowing exactly what is going on, is not > fine. > The point is that we should avoid at any cost to make the backend > dealing with mistakes of the frontend.
That's what I meant, "we could tell the user when his key is not valid straight away.". > - - I think it must be configurable. In others words, there should be a > configuration option, off by default, that permits to activate these > checks, to select which one (value like "0" or "rsa1" or > "rsa1,rsa,dsa"). > The comment that come along the configuration option should not lead > people that install Savane that this is the right way to restrict > access to their ssh server (ie: they should be made aware of > sshd_config options like "Protocol"). How about simply using an on/off switch? It is not about selecting the key type, but rather preventing people from inserting invalid key, whatever format it is in. If the switch is off by default, btw, users won't be warned when they insert an invalid key, so maybe we could even get rid of the switch. > I'm still not convinced that this feature make a difference security > wise (but that does not matter since I'm not the one spending time on > it), but I agree it can, if implemented in the frontend, improve user > experience by telling him if his key is invalid -- and this would be > good. Of course you understand what the security issue is, it's just that it doesn't look really important to you - and you're not alone. I precised it was a very little improvement, security-wise. -- Sylvain _______________________________________________ Savane-dev mailing list [email protected] https://mail.gna.org/listinfo/savane-dev
