Report a bug relative ssh key exchange.
 

Hi all,

I am presenting, i'm an italian boy, 22 years old and i work in IT
tecnologies by about 2 years.

I have an enormous passion for computing in general.

I found a dangerous bug about ssh with key exchange.

The bug afflicting only some distributions, in particular that are
used as a web server.

If I create a directory ".ssh", for the user "www-data", in his home
that is usually, "/var/www/", i can log in the computer with: "ssh
www-data@computer"

This is a stupid bug, but it's very dangerous.

For my reasons, i entered into a site hosted above a debian, using
"Joomla amministration" (a famous CMS), adding my "ssh key" in the
".ssh/authorized_keys".

Maybe someone had already found it, but say it another time it's not bad.

debian version:
Linux HostName 2.6.8-3-686-smp #1 SMP Tue Dec 5 23:17:50 UTC 2006 i686 GNU/Linux
ssh version:
OpenSSH_3.8.1p1 Debian-8.sarge.6, OpenSSL 0.9.7e 25 Oct 2004

Sorry for my bad english!!!

regards

Alberto Bravi, from Italy;)


--

*Alberto Bravi*

---------------------------------

E-mail: alberto.bravi@gmail.com

Skype: alberto.bravi

Le informazioni contenute in questa comunicazione e gli eventuali
documenti allegati hanno carattere confidenziale e sono ad uso
esclusivo del destinatario. Nel caso questa comunicazione Vi sia
pervenuta per errore , Vi informiamo che la sua diffusione e
riproduzione e' contraria alla legge e preghiamo di darci prontamente
avviso e di cancellare quanto ricevuto.

This e-mail message and any files transmitted with it contain
confidential information intended only for the person(s) to whom it is
addressed. If you are not the intended recipient, you are hereby
notified that any use or distribution of this e-mail is strictly
prohibited, please notify the sender and delete the original message.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Report a bug relative ssh key exchange.
 

By the way, bugs are usually reported using the tool reportbug. That way
your message ends up in the Debian Bug Tracking System (BTS). You sent
your mail to a mailing list for users of Debian. Maintainers of Debian
packages (who are responsible for dealing with their packages' problems)
don't necessarily read this list.

Alberto Bravi:
>
> I found a dangerous bug about ssh with key exchange.

I'd say if it is a bug at all, it is a bug in the webserver you are
running, not in OpenSSH.

> If I create a directory ".ssh", for the user "www-data", in his home
> that is usually, "/var/www/", i can log in the computer with: "ssh
> www-data@computer"

(I guess you meant to say that creating SSH keys in a directory which is
usually readable by everyone over the internet is a bad idea.)

Then either change www-data's home directory or don't create keys for
this user in the first place.

I agree that this is quite a serious pitfall, but every component
involved works as designed. I don't know the reasons for www-data using
its document root as home directory, but I guess there are some.

You can around that problem by either changing /var/www's permissions or
by disallowing access to the location /.ssh in your webserver.

J.
--
I can tell a Whopper[tm] from a BigMac[tm] and Coke[tm] from Pepsi[tm].
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>