From owner-freebsd-security  Wed May 10 14:42:58 2000
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (adam042-051.resnet.wisc.edu [146.151.42.51])
	by hub.freebsd.org (Postfix) with SMTP id C0B0A37B837
	for <security@freebsd.org>; Wed, 10 May 2000 14:42:56 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 28580 invoked by uid 1000); 10 May 2000 21:42:54 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 10 May 2000 21:42:54 -0000
Date: Wed, 10 May 2000 16:42:54 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: "Chris D. Faulhaber" <jedgar@fxp.org>
Cc: Peter van Dijk <petervd@vuurwerk.nl>, security@freebsd.org
Subject: Re: envy.vuurwerk.nl daily run output
In-Reply-To: <Pine.BSF.4.10.10005101518090.75557-100000@pawn.primelocation.net>
Message-ID: <Pine.BSF.4.21.0005101627170.28527-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Wed, 10 May 2000, Chris D. Faulhaber wrote:

> On Wed, 10 May 2000, Mike Silbersack wrote:
> 
> > This just got me thinking... are .ssh/authorized_keys files checked for
> > changes by the security scripts?  I know I probably wouldn't notice for a
> > long while if someone had modified mine, all the time during which someone
> > could be playing around on the box.
> > 
> 
> I don't think it is the system's responsibility to check user's files;
> however, it might be a decent idea to have the system check to see
> anything in /etc/ssh/ has changed.  See
> http://www.fxp.org/~jedgar/230.backup-ssh for the script I use.

See, I'm not sure that authorized_keys are user files, as they perform the
same function that system passwords do.  And since ssh is now part of the
base system, they should be considered equal in importance to the password
file.

I understand that diffing every user's authorized_keys would be a huge
pain, perhaps only root/toor need to be checked.

In the long term, perhaps having a central database of all the public keys
on the system instead of authorized_keys is the correct answer.  In the
meantime, I think some thought should be put to the issue of watching
root's authorized_keys - if someone kind find a way to cause some root
running daemon (say, mysql) to create an arbitrary authorized_keys, you'd
never see it happen in the security logs.

Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message