Hi! On Tue, Sep 11, 2018 at 07:18:23PM -0600, Chris Murphy wrote: > I've filed a gnome-shell bug (see link below) for a change in modal > dialog I see when connecting to an ssh server using public key > authentication. The Fedora 28 dialog shows the key name, the Fedora 29 > dialog is generic, I can only guess by time proximity what I'm > entering the passphrase for. > > Question is whether this constitutions an "important" security bug or > higher. The bug has screenshots for both the F28 and F29 dialogs in > question. I would not classify it as "Important impact" or "Crititcal impact", as even triggering that dialog requires access as a local user. I'd also not consider it as a "Moderate impact", as it only happens as a result of a user action and should not leak any information. (the key fingerprint is transmitted to the server even before the password is requested) Therefore (in my personal opinion) I'd classify it as a "Low impact" issue, as it might be a warning sign if an unexpected key is accepted by the server. (Even then there should be a hostkey mismatch warning, but the RedHat security rating also allows for unlikely circumstances) Best regards, David
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx
