Bug#493874: #516230 in combination with #493874 creates a serious issue
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Mar 16 01:05:00 UTC 2009
hey folks--
#493874 (gnome-keyring doesn't ask for confirmation with ssh keys), in
combination with #516230 (gnome-keyring daemon acts as ssh-agent even
when instructed not to) causes a potentially serious security problem.
In particular, people who use ssh-agent regularly, and expect to receive
confirmation before use of their keys are at risk. Since the default
debian desktop installs gnome, and gnome installs gnome-keyring, those
users are at a serious risk of having their keys available for
non-confirmed use.
if gnome-keyring is unable to honor a constraint requested by a user, it
should *not* import the key in the first place and fail hard, as opposed
to importing it and ignoring the requested constraint.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090315/dc66b27f/attachment-0002.pgp
More information about the pkg-gnome-maintainers
mailing list