Date: Thu, 11 May 2000 11:23:56 +0100 From: Adam Laurie <adam@algroup.co.uk> To: Mike Silbersack <silby@silby.com> Cc: "Chris D. Faulhaber" <jedgar@fxp.org>, Peter van Dijk <petervd@vuurwerk.nl>, security@freebsd.org Subject: Re: envy.vuurwerk.nl daily run output Message-ID: <391A8A3C.795C15F7@algroup.co.uk> References: <Pine.BSF.4.21.0005101627170.28527-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Silbersack wrote: > > On Wed, 10 May 2000, Chris D. Faulhaber wrote: > > > On Wed, 10 May 2000, Mike Silbersack wrote: > > > > > This just got me thinking... are .ssh/authorized_keys files checked for > > > changes by the security scripts? I know I probably wouldn't notice for a > > > long while if someone had modified mine, all the time during which someone > > > could be playing around on the box. > > > > > > > I don't think it is the system's responsibility to check user's files; > > however, it might be a decent idea to have the system check to see > > anything in /etc/ssh/ has changed. See > > http://www.fxp.org/~jedgar/230.backup-ssh for the script I use. > > See, I'm not sure that authorized_keys are user files, as they perform the > same function that system passwords do. And since ssh is now part of the > base system, they should be considered equal in importance to the password > file. Absolutely. If someone backdoors your system with an authorized key, and is confident they can gain root from a luser account, they don't need to go any further, and it's extremely likely that the change will go unnoticed *forever* (when was the last time you checked your own authorized_keys file?)... As it happens, I'm working on a patch for /etc/security at the moment - I'll post it for review... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?391A8A3C.795C15F7>