Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 May 2000 16:42:54 -0500 (CDT)
From:      Mike Silbersack <silby@silby.com>
To:        "Chris D. Faulhaber" <jedgar@fxp.org>
Cc:        Peter van Dijk <petervd@vuurwerk.nl>, security@freebsd.org
Subject:   Re: envy.vuurwerk.nl daily run output
Message-ID:  <Pine.BSF.4.21.0005101627170.28527-100000@achilles.silby.com>
In-Reply-To: <Pine.BSF.4.10.10005101518090.75557-100000@pawn.primelocation.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, 10 May 2000, Chris D. Faulhaber wrote:

> On Wed, 10 May 2000, Mike Silbersack wrote:
> 
> > This just got me thinking... are .ssh/authorized_keys files checked for
> > changes by the security scripts?  I know I probably wouldn't notice for a
> > long while if someone had modified mine, all the time during which someone
> > could be playing around on the box.
> > 
> 
> I don't think it is the system's responsibility to check user's files;
> however, it might be a decent idea to have the system check to see
> anything in /etc/ssh/ has changed.  See
> http://www.fxp.org/~jedgar/230.backup-ssh for the script I use.

See, I'm not sure that authorized_keys are user files, as they perform the
same function that system passwords do.  And since ssh is now part of the
base system, they should be considered equal in importance to the password
file.

I understand that diffing every user's authorized_keys would be a huge
pain, perhaps only root/toor need to be checked.

In the long term, perhaps having a central database of all the public keys
on the system instead of authorized_keys is the correct answer.  In the
meantime, I think some thought should be put to the issue of watching
root's authorized_keys - if someone kind find a way to cause some root
running daemon (say, mysql) to create an arbitrary authorized_keys, you'd
never see it happen in the security logs.

Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005101627170.28527-100000>