openssh bugs - Oct 2011 - [Bug 1947] New: Log authorized_keys format issues and refuse to accept keys

https://bugzilla.mindrot.org/show_bug.cgi?id=1947

             Bug #: 1947
           Summary: Log authorized_keys format issues and refuse to accept
                    keys
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dave at treblig.org


I was trying to add a command="blah" limit on a key in
.ssh/authorized_keys for the first time in many years; and a few
problems struck me:

1) When I screwed up there was no log to say that it hit a badly
formatted line in authorized_keys
2) A simple error - e.g. putting a line break after the command="..."
part and before the key resulted in a key with no restriction.

So I suggest if you find a command="....." or other option section
that
should be with a key and there is no key, then it should be logged that
you hit it and you should stop reading the authorized_keys file because
something is wrong.

Ideally you should carry on reading the authorized_keys to check its
validity, even once you hit a valid entry, that way you can spot other
screwups - e.g. in my case I first misread the man page to think I was
supposed to put the command="..." on the following line.

OK, so you're not going to be able to catch all screwups; but it should
be pretty paranoid.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1947

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-12-02 11:16:13
EST ---
It's a bit of a balance between providing safety and not locking people
out of their hosts - an accidental ":wq" somewhere or a truncated key
line shouldn't IMO be treated as fatal.

OTOH, there should be some feedback in sshd logs about failures here.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1947

--- Comment #2 from Dr. David Alan Gilbert <dave at treblig.org>
2011-12-04 05:12:02 EST ---
I agree it's a trade off, but I think I'd like to have the choice to
have a machine set up to be paranoid and make it fail with a bad line;
either to fail on any problem or something like requiring every line to
explicitly state anything that's allowed.

I also think there may be intermediates of paranoid and permissive -
e.g.
maybe if you see a command="..." with no key then you could ignore the
next key. It would take some thinking about though.

Dave

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.