[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Axel Beckert <abe () deuxchevaux ! org>
Date: 2024-03-30 21:46:17
Message-ID: 20240330214617.fzevnlz4nrqvgbwp () sym ! noone ! org
[Download RAW message or body]
Hi Andres,
On Sat, Mar 30, 2024 at 12:48:50PM -0700, Andres Freund wrote:
> FWIW, RSA_public_decrypt is reachable, regardless of server configuration,
> when using certificate based authentication.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Wait, do you really mean SSH keys verified by certificates issued by a
(usually internal, SSH-specific) certificate authority (CA) for a key?
See e.g.
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication
what certificate-based authentication in SSH actually means.
From my experience certificate-based SSH authentication (i.e. those
algorithms with *-cert-* in their names) is rather rare, while simple
public key authentication (where you just put your according pubkey
into .ssh/authorized_keys) is very common.
Can you clarify if you really meant that solely certificate based
authentication (with certificates issued by a CA) triggers that code
path or if you actually meant all sorts of public key based
authentication in general?
Kind regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic