Merge commit 'dkg/master'

author: Micah Anderson <micah@riseup.net> 2008-10-26 12:34:56 -0400
committer: Micah Anderson <micah@riseup.net> 2008-10-26 12:34:56 -0400
commit: 20e88948f035c56d51f07c53de50b75df57fc816 (patch)
tree: b949e026bbf3687f05c1d98e1e22d9f9c0d31f62 /website/bugs/authorized_keys_not_cleared.mdwn
parent: 5722f3ce688ce4f71a7f3a4a3aa3d070c3e47014 (diff)
parent: eef5c546af5f7a723be67303feee9b05b47b0fdb (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/website/bugs/authorized_keys_not_cleared.mdwn b/website/bugs/authorized_keys_not_cleared.mdwn
new file mode 100644
index 0000000..7246997
--- /dev/null
+++ b/website/bugs/authorized_keys_not_cleared.mdwn
@@ -0,0 +1,20 @@
+[[meta title="users with missing or empty authorized keys and User IDs should have MS-generated keys cleared" ]]
+
+I had a user who had a bunch of entries in
+`~/.monkeysphere/authorized_user_ids`, and a bunch of raw keys in
+`~/.ssh/authorized_keys`.  My system's `monkeysphere-server` handled
+this situation appropriately, and populated
+`/var/lib/monkeysphere/authorized_keys/user` with the full set.
+
+Then i wanted to wipe out all key entries for that user.  So i did:
+
+	mkdir ~user/backup
+	mv ~user/.ssh ~user/.monkeysphere ~user/backup
+	monkeysphere-server update-users user
+
+I expected this to either remove
+`/var/lib/monkeysphere/authorized_keys/user`, or truncate it to 0
+bytes.  However, it just remained untouched, and the old keys
+persisted.
+
+This seems like a potential security problem.
author	Micah Anderson <micah@riseup.net>	2008-10-26 12:34:56 -0400
committer	Micah Anderson <micah@riseup.net>	2008-10-26 12:34:56 -0400
commit	20e88948f035c56d51f07c53de50b75df57fc816 (patch)
tree	b949e026bbf3687f05c1d98e1e22d9f9c0d31f62 /website/bugs/authorized_keys_not_cleared.mdwn
parent	5722f3ce688ce4f71a7f3a4a3aa3d070c3e47014 (diff)
parent	eef5c546af5f7a723be67303feee9b05b47b0fdb (diff)