summaryrefslogtreecommitdiff
path: root/website/bugs/authorized_keys_not_cleared.mdwn
blob: 4ba347b667fe9abe555be215a3361b4299a4b6fd (plain)

[[meta title="users with missing or empty authorized keys and User IDs should have MS-generated keys cleared" ]]

I had a user who had a bunch of entries in ~/.monkeysphere/authorized_user_ids, and a bunch of raw keys in ~/.ssh/authorized_keys. My system's monkeysphere-server handled this situation appropriately, and populated /var/lib/monkeysphere/authorized_keys/user with the full set.

Then i wanted to wipe out all key entries for that user. So i did:

mkdir ~user/backup
mv ~user/.ssh ~user/.monkeysphere ~user/backup
monkeysphere-server update-users user

I expected this to either remove /var/lib/monkeysphere/authorized_keys/user, or truncate it to 0 bytes. However, it just remained untouched, and the old keys persisted.

This seems like a potential security problem.


[[bugs/done]] on 2008-10-26 in c8ab71b24b566967fdb39818d071f6548dc056c8