added 0.16-1 release announcement, plus new bug.

author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2008-10-26 03:35:27 -0400
committer: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2008-10-26 03:35:27 -0400
commit: 502915e19c9715b866f2c9f5bf89abf85fd8aa52 (patch)
tree: 45250045d03438d37567bbb4885e393af71d0198 /website/bugs
parent: ee285d5b62432f35203774835f3dd347ad92afbc (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/website/bugs/authorized_keys_not_cleared.mdwn b/website/bugs/authorized_keys_not_cleared.mdwn
new file mode 100644
index 0000000..7246997
--- /dev/null
+++ b/website/bugs/authorized_keys_not_cleared.mdwn
@@ -0,0 +1,20 @@
+[[meta title="users with missing or empty authorized keys and User IDs should have MS-generated keys cleared" ]]
+
+I had a user who had a bunch of entries in
+`~/.monkeysphere/authorized_user_ids`, and a bunch of raw keys in
+`~/.ssh/authorized_keys`.  My system's `monkeysphere-server` handled
+this situation appropriately, and populated
+`/var/lib/monkeysphere/authorized_keys/user` with the full set.
+
+Then i wanted to wipe out all key entries for that user.  So i did:
+
+	mkdir ~user/backup
+	mv ~user/.ssh ~user/.monkeysphere ~user/backup
+	monkeysphere-server update-users user
+
+I expected this to either remove
+`/var/lib/monkeysphere/authorized_keys/user`, or truncate it to 0
+bytes.  However, it just remained untouched, and the old keys
+persisted.
+
+This seems like a potential security problem.
author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>	2008-10-26 03:35:27 -0400
committer	Daniel Kahn Gillmor <dkg@fifthhorseman.net>	2008-10-26 03:35:27 -0400
commit	502915e19c9715b866f2c9f5bf89abf85fd8aa52 (patch)
tree	45250045d03438d37567bbb4885e393af71d0198 /website/bugs
parent	ee285d5b62432f35203774835f3dd347ad92afbc (diff)