From owner-freebsd-stable@FreeBSD.ORG  Sun Mar  2 22:46:19 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C9C545DD
 for <freebsd-stable@freebsd.org>; Sun,  2 Mar 2014 22:46:19 +0000 (UTC)
Received: from mail-qa0-x229.google.com (mail-qa0-x229.google.com
 [IPv6:2607:f8b0:400d:c00::229])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7D5E111FB
 for <freebsd-stable@freebsd.org>; Sun,  2 Mar 2014 22:46:19 +0000 (UTC)
Received: by mail-qa0-f41.google.com with SMTP id j5so2848598qaq.0
 for <freebsd-stable@freebsd.org>; Sun, 02 Mar 2014 14:46:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=eitanadler.com; s=0xdeadbeef;
 h=mime-version:sender:in-reply-to:references:from:date:message-id
 :subject:to:cc:content-type;
 bh=sVBSotIf2RdoLjuwIybxXQur6dTGJjCd9xHUYSVElZo=;
 b=gpBXm6G/yWHHqID2sCxAwvyqDOhQ29FY7hMyJw50Me3b2ndG08fxDJi/WTOlBnetwC
 pr0szI3exXR+wlumRcJiZJBnrM/y5izZA5bWqnZmOrL09dHxhb6JW+yRdh0ooAfYLsXO
 BQ8/kRrzszGNmz5ko7NQkwIDwDPuXuOEqTOzw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
 :date:message-id:subject:to:cc:content-type;
 bh=sVBSotIf2RdoLjuwIybxXQur6dTGJjCd9xHUYSVElZo=;
 b=PNZ+0r0/aR9Qt23TqdXOcDQSMl0KUfGL3usqo9bYbWNsAh+zZ/Op2bAeYuwXOKvNRj
 ZdpgoCv+DCS5brK7FUpW3VJkwgjfxUFi/abr7BTLduG/w8thWS90XVEGDz0jI1OkmY2c
 2HppcBiyIKSASuJZmw4kN3JYTa+PF8dPRjblHEtdIgbNGxvuaGyGEWc9wXHfqmtjAjWv
 ZBjr60c9pyp04hMUt8tKvjCsiOGfWhf/88c5CV5WURwM3U/644uOYc5+3fB0IPfVodbH
 9oUvvY94HpQxUUuHDa4m8aMtQK9zP6ca78m2fhEJdJGhkw2N/KNqj7sQoxQ4KvDWFwyT
 2Xig==
X-Gm-Message-State: ALoCoQm0TqxIqyhK+NAh6vjfC0U9wdFlrNBaHSItG8JD5UyzDe0BFX/ikTvTcKcf5VszG5SMEuGn
X-Received: by 10.229.112.5 with SMTP id u5mr10897194qcp.3.1393800378556; Sun,
 02 Mar 2014 14:46:18 -0800 (PST)
MIME-Version: 1.0
Sender: lists@eitanadler.com
Received: by 10.96.147.225 with HTTP; Sun, 2 Mar 2014 14:45:48 -0800 (PST)
In-Reply-To: <1393686144.13293.89322249.7BB6D2F8@webmail.messagingengine.com>
References: <2cba8fd9cc51dedc1bd5e127046f4ab7@dweimer.net>
 <1393618827.9046.89104957.4A974C56@webmail.messagingengine.com>
 <ea6804d070e9b2e4393eaca2fa45d938@dweimer.net>
 <1393625741.9928.89141917.3B723B0F@webmail.messagingengine.com>
 <CAF6rxg=SBno64BpmxcvddQFpnAePFHKZ+1kp1a+AY5F6-xQsMA@mail.gmail.com>
 <20140228234214.GA23514@stack.nl>
 <CAF6rxgkn_hZd5G7ef80BF+PfnAxXnAOYrmkohXKVrL5ddvC=Aw@mail.gmail.com>
 <1393686144.13293.89322249.7BB6D2F8@webmail.messagingengine.com>
From: Eitan Adler <eadler@freebsd.org>
Date: Sun, 2 Mar 2014 17:45:48 -0500
X-Google-Sender-Auth: W29H1Ly-sbtezaqclTY1BOXoL5o
Message-ID: <CAF6rxgntCb2MBVR_GGJH2s2ba1wb9CHCtsUmQ9FKsdfmmmAWSw@mail.gmail.com>
Subject: Re: ssh-copy-id
To: Mark Felder <feld@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-stable <freebsd-stable@freebsd.org>,
 Jilles Tjoelker <jilles@stack.nl>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Mar 2014 22:46:19 -0000

On 1 March 2014 10:02, Mark Felder <feld@freebsd.org> wrote:
>
>
> On Fri, Feb 28, 2014, at 21:11, Eitan Adler wrote:
>> On 28 February 2014 18:42, Jilles Tjoelker <jilles@stack.nl> wrote:
>> > On Fri, Feb 28, 2014 at 06:08:10PM -0500, Eitan Adler wrote:
>> >> On 28 February 2014 17:15, Mark Felder <feld@freebsd.org> wrote:
>> >> ....
>> >
>> >> > In my opinion, if I'm using an ssh utility and I specify "-i" flag it
>> >> > should be the private key.
>> >
>> >> Hey all,
>> >
>> >> Sorry about the confusion ssh-copy-id has caused you.
>> >
>> >> Does the following patch help ?
>> >
>> > In addition to that, it may be useful to add an explicit check against
>> > sending private keys. Even though printf(1) fails, the receiving server
>> > still gets the private key and a malicious root user might steal it.
>> >
>> > For example, any key starting with '-' is inappropriate.
>>
>> I thought about adding a check for private keys.  However such a check
>> is insufficient since the user may have supplied other private files
>> accidentally such as /etc/passwd or a GPG key.
>>
>
> I suppose you could whitelist certain types of keys and only permit
> those to be used with ssh-copy-id and exit/error if something else is
> fed to it.

I still have some trauma from seeing libmagic used in security
sensitive contexts.  However, in this case adding a whitelist based on
file(1) is not a terrible idea.

I'll try to work on this, but no promises.  I'd be happy to review if
you come up with a patch.


-- 
Eitan Adler
Source, Ports, Doc committer
Bugmeister, Ports Security teams