http://bugzilla.mindrot.org/show_bug.cgi?id=758

Summary: if authorized keys exchanged, regular user can gain
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: ix86
URL: http://www.mainelinesys.com
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: ssh
AssignedTo: openssh-***@mindrot.org
ReportedBy: ***@maurand.com


If an authorized key (~/.ssh/authorized_keys2) for root on one machine has been exchanged to
another machine and a normal user issues, from the first machine, ssh -l root machine2, The
normal user on machine one will be logged in as root on machine2.

Steps to recreate:
On Machine #1:
1. Make yourself root
2. ssh-keygen -b 2048 -t dsa
3. scp .ssh/id_dsa.pub ***@machine2:/root (you must enter a password at this point)
4. exit the root shell to normal shell

On Machine #2:
1. Make yourself root
2. cat id_dsa.pub >>.ssh/authorized_keys2
3. logout

On Machine #1:
(note, you should be a normal user now.)
1. ssh -l root machine2
2. You are now logged into machine #2 as root without entering a password.

Thought you should know this. I tested between 2 RedHat 9.0 machines.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.