Feature Request (re: CVE-2023-3840)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 19.07.23 16:40, Damien Miller wrote:
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.

Upon trying to deploy such a workaround, I found that the call to ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup mechanisms. (As in, did "find | xargs grep ssh-agent" and such across the entire OS install and *still* haven't found it.)

Feature request: Please consider giving ssh-agent(1) a config file(s) to drop at least the potentially security-relevant options into.

(One would think that when the maintainers of hulking package X call out to an executable of entirely different package Y that has a nontrivial command line syntax, it'd be a no-brainer to put an X-maintained wrapper script in between, just in case that the maintainers of Y pull an ncat(1) and rename a bunch of options, but noooo ...)

Kind regards,
Jochen Bern

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux