ssh-copy-id
Eitan Adler
eadler at freebsd.org
Sun Mar 2 22:46:19 UTC 2014
On 1 March 2014 10:02, Mark Felder <feld at freebsd.org> wrote:
>
>
> On Fri, Feb 28, 2014, at 21:11, Eitan Adler wrote:
>> On 28 February 2014 18:42, Jilles Tjoelker <jilles at stack.nl> wrote:
>> > On Fri, Feb 28, 2014 at 06:08:10PM -0500, Eitan Adler wrote:
>> >> On 28 February 2014 17:15, Mark Felder <feld at freebsd.org> wrote:
>> >> ....
>> >
>> >> > In my opinion, if I'm using an ssh utility and I specify "-i" flag it
>> >> > should be the private key.
>> >
>> >> Hey all,
>> >
>> >> Sorry about the confusion ssh-copy-id has caused you.
>> >
>> >> Does the following patch help ?
>> >
>> > In addition to that, it may be useful to add an explicit check against
>> > sending private keys. Even though printf(1) fails, the receiving server
>> > still gets the private key and a malicious root user might steal it.
>> >
>> > For example, any key starting with '-' is inappropriate.
>>
>> I thought about adding a check for private keys. However such a check
>> is insufficient since the user may have supplied other private files
>> accidentally such as /etc/passwd or a GPG key.
>>
>
> I suppose you could whitelist certain types of keys and only permit
> those to be used with ssh-copy-id and exit/error if something else is
> fed to it.
I still have some trauma from seeing libmagic used in security
sensitive contexts. However, in this case adding a whitelist based on
file(1) is not a terrible idea.
I'll try to work on this, but no promises. I'd be happy to review if
you come up with a patch.
--
Eitan Adler
Source, Ports, Doc committer
Bugmeister, Ports Security teams
More information about the freebsd-stable
mailing list