[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From:       Axel Beckert <abe () deuxchevaux ! org>
Date:       2024-03-30 21:46:17
Message-ID: 20240330214617.fzevnlz4nrqvgbwp () sym ! noone ! org
[Download RAW message or body]


Hi Andres,

On Sat, Mar 30, 2024 at 12:48:50PM -0700, Andres Freund wrote:
> FWIW, RSA_public_decrypt is reachable, regardless of server configuration,
> when using certificate based authentication.
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Wait, do you really mean SSH keys verified by certificates issued by a
(usually internal, SSH-specific) certificate authority (CA) for a key?

See e.g.
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication
what certificate-based authentication in SSH actually means.

From my experience certificate-based SSH authentication (i.e. those
algorithms with *-cert-* in their names) is rather rare, while simple
public key authentication (where you just put your according pubkey
into .ssh/authorized_keys) is very common.

Can you clarify if you really meant that solely certificate based
authentication (with certificates issued by a CA) triggers that code
path or if you actually meant all sorts of public key based
authentication in general?

		Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]