From 3b0d5361bcaa53770ae4130dc08a1b9ea6d36cfd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 21:54:03 -0400 Subject: close bug about problem in authorized_keys generation in monkeysphere-server. --- website/bugs/authorized_keys_not_cleared.mdwn | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'website/bugs') diff --git a/website/bugs/authorized_keys_not_cleared.mdwn b/website/bugs/authorized_keys_not_cleared.mdwn index 7246997..4ba347b 100644 --- a/website/bugs/authorized_keys_not_cleared.mdwn +++ b/website/bugs/authorized_keys_not_cleared.mdwn @@ -18,3 +18,7 @@ bytes. However, it just remained untouched, and the old keys persisted. This seems like a potential security problem. + +--- + +[[bugs/done]] on 2008-10-26 in c8ab71b24b566967fdb39818d071f6548dc056c8 -- cgit v1.2.3 From 21fd6545dee4948cad0e726d47f092c9c86f2fba Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 22:07:07 -0400 Subject: comment to bug about existing invalid authentication keys. --- website/bugs/authorized_keys-options.mdwn | 2 -- ...e-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'website/bugs') diff --git a/website/bugs/authorized_keys-options.mdwn b/website/bugs/authorized_keys-options.mdwn index a066318..4e7a838 100644 --- a/website/bugs/authorized_keys-options.mdwn +++ b/website/bugs/authorized_keys-options.mdwn @@ -1,7 +1,5 @@ [[meta title="Monkeysphere support for options in authorized_keys"]] -# Monkeysphere support for options within `authorized_keys` # - OpenSSH [allows users to control the capabilities granted to remote key-based logins](http://www.hackinglinuxexposed.com/articles/20030109.html) by diff --git a/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn b/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn index 8181437..3c7e804 100644 --- a/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn +++ b/website/bugs/monkeysphere-gen-subkey-treats-revoked-auth-subkey-as-valid.mdwn @@ -19,3 +19,19 @@ revoked, so probably monkeysphere needs to be looking at gpg's computed validity from the public keyring instead of the secret keyring to be able to get the "r" flag from field 2, in addition to the "e" flag from field 12. + +--- + +So the problem is that there is no field 2 for secret keys. From +/usr/share/doc/gnupg/DETAILS.gz: + + 2. Field: A letter describing the calculated trust. This is a single + letter, but be prepared that additional information may follow + in some future versions. (not used for secret keys) + +Why would secret keys not have this field? They have validity too, +right? This doesn't make any sense. I verify that indeed there is no +output in field 2 for secret keys. I would say this is a bug in gpg, +but it's clearly done on purpose. Any ideas? + +-- jrollins -- cgit v1.2.3 From 88b92e7c69e2c59ece19ff015d150e179c797655 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 26 Oct 2008 22:16:32 -0400 Subject: comment to bug about parsing ssh config files. --- ...keysphere-ignores-HashKnownHosts-directive.mdwn | 33 --------------- website/bugs/ssh_config_files_not_parsed.mdwn | 47 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 33 deletions(-) delete mode 100644 website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn create mode 100644 website/bugs/ssh_config_files_not_parsed.mdwn (limited to 'website/bugs') diff --git a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn b/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn deleted file mode 100644 index 2dac579..0000000 --- a/website/bugs/monkeysphere-ignores-HashKnownHosts-directive.mdwn +++ /dev/null @@ -1,33 +0,0 @@ -In `~/.ssh/config`, i have: - - HashKnownHosts No - -But when `monkeysphere-ssh-proxycommand` adds new hosts to -`~/.ssh/known_hosts`, they appear to be added in a hashed form, -instead of in the clear. - -fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported -from sid) - ---- - -I can confirm this too (I'm running openssh-client 1:4.7p1-12) - --- Jamie (Jam Jam) - ---- - -There is absolutely no attempt by any monkeysphere utility to parse -any ssh or sshd config file. This will probably need to be delt with -down the line, but it's not a particular easy task at the moment. - --- Big Jimmy. - ---- - -I've [posted to the `openssh-unix-dev` list to see if there is a -possibility of openssh making our lives easier -here](http://marc.info/?l=openssh-unix-dev&m=121804767122918&w=2), but -i haven't had much of a response yet. - ---dkg diff --git a/website/bugs/ssh_config_files_not_parsed.mdwn b/website/bugs/ssh_config_files_not_parsed.mdwn new file mode 100644 index 0000000..ca851a8 --- /dev/null +++ b/website/bugs/ssh_config_files_not_parsed.mdwn @@ -0,0 +1,47 @@ +In `~/.ssh/config`, i have: + + HashKnownHosts No + +But when `monkeysphere-ssh-proxycommand` adds new hosts to +`~/.ssh/known_hosts`, they appear to be added in a hashed form, +instead of in the clear. + +fwiw: i'm using OpenSSH 5.1p1 on a debian lenny system (backported +from sid) + +--- + +I can confirm this too (I'm running openssh-client 1:4.7p1-12) + +-- Jamie (Jam Jam) + +--- + +There is absolutely no attempt by any monkeysphere utility to parse +any ssh or sshd config file. This will probably need to be delt with +down the line, but it's not a particular easy task at the moment. + +-- Big Jimmy. + +--- + +I've [posted to the `openssh-unix-dev` list to see if there is a +possibility of openssh making our lives easier +here](http://marc.info/?l=openssh-unix-dev&m=121804767122918&w=2), but +i haven't had much of a response yet. + +--dkg + +--- + +For some reason this didn't get mentioned in this bug earlier, but +there is a monkeysphere config variable about hashing known_hosts +lines, which is set to true by default (to be in sync with the Debian +openssh-client package). + +I think this bug is really more about the fact that monkeysphere does +not parse the ssh config files for any directives relavent to what the +monkeysphere is doing. I'm changing the name of this bug to reflect +what the real issue is. + +-- Big Jimmy. -- cgit v1.2.3