ssh offers without question all your keys to any server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
If you connect to some ssh, then without question ssh seems to happily offer all of your private keys, therefore informing the target server about how many / which keys you have.
This is a privacy breach, consider:
you have a general key, you have a key used for very important work sever (id_rsa_
You connect to some game ssh server, or IRC shell or some testing VPS, and on connection you inform that server that you also have key which name indicates that you have very important key.
User might not want to give away this information on connecting.
Solution: do not add any keys by default, or ask before offering them;
Or at least offer only the default key if it exists.
When applying this privacy fix, please remember to add warning message informing users how to do ssh-add now (because of change in behaviour), unless it will be interactive question.
ProblemType: Bug
Architecture: amd64
Date: Sun Jan 10 15:05:37 2010
DistroRelease: Ubuntu 9.10
NonfreeKernelMo
Package: ssh (not installed)
ProcEnviron:
LANGUAGE=
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: openssh
Uname: Linux 2.6.31-17-generic x86_64
visibility: | private → public |
Thank you for using Ubuntu and taking the time to report a bug.
I'm afraid I don't understand the problem as described. For the SSH protocol, http:// www.ietf. org/rfc/ rfc4251. txt has details on the protocol architecture and http:// www.ietf. org/rfc/ rfc4252. txt specifically on the authenticaion protocol.
For the openssh implementation, openssh should only offer ~/.ssh/id_rsa or ~/.ssh/id_dsa by default, unless you have configured ssh differently (see man 1 ssh) . Even if it did offer multiple keys, it would be multiple public keys that should give no indication of their use (therefore useless to an attacker).
Can you explain the problem with more detail including steps to reproduce? Thanks