From owner-freebsd-security  Thu May 11  3:25: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id D95B437B90D
	for <security@freebsd.org>; Thu, 11 May 2000 03:24:52 -0700 (PDT)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([192.168.192.2]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id KAA09707; Thu, 11 May 2000 10:23:59 GMT
Message-ID: <391A8A3C.795C15F7@algroup.co.uk>
Date: Thu, 11 May 2000 11:23:56 +0100
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Silbersack <silby@silby.com>
Cc: "Chris D. Faulhaber" <jedgar@fxp.org>,
	Peter van Dijk <petervd@vuurwerk.nl>, security@freebsd.org
Subject: Re: envy.vuurwerk.nl daily run output
References: <Pine.BSF.4.21.0005101627170.28527-100000@achilles.silby.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mike Silbersack wrote:
> 
> On Wed, 10 May 2000, Chris D. Faulhaber wrote:
> 
> > On Wed, 10 May 2000, Mike Silbersack wrote:
> >
> > > This just got me thinking... are .ssh/authorized_keys files checked for
> > > changes by the security scripts?  I know I probably wouldn't notice for a
> > > long while if someone had modified mine, all the time during which someone
> > > could be playing around on the box.
> > >
> >
> > I don't think it is the system's responsibility to check user's files;
> > however, it might be a decent idea to have the system check to see
> > anything in /etc/ssh/ has changed.  See
> > http://www.fxp.org/~jedgar/230.backup-ssh for the script I use.
> 
> See, I'm not sure that authorized_keys are user files, as they perform the
> same function that system passwords do.  And since ssh is now part of the
> base system, they should be considered equal in importance to the password
> file.

Absolutely. If someone backdoors your system with an authorized key, and
is confident they can gain root from a luser account, they don't need to
go any further, and it's extremely likely that the change will go
unnoticed *forever* (when was the last time you checked your own
authorized_keys file?)...

As it happens, I'm working on a patch for /etc/security at the moment -
I'll post it for review...

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message