Bug#493874: #516230 in combination with #493874 creates a serious issue

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Mar 16 01:05:00 UTC 2009


hey folks--

#493874 (gnome-keyring doesn't ask for confirmation with ssh keys), in
combination with #516230 (gnome-keyring daemon acts as ssh-agent even
when instructed not to) causes a potentially serious security problem.

In particular, people who use ssh-agent regularly, and expect to receive
confirmation before use of their keys are at risk.  Since the default
debian desktop installs gnome, and gnome installs gnome-keyring, those
users are at a serious risk of having their keys available for
non-confirmed use.

if gnome-keyring is unable to honor a constraint requested by a user, it
should *not* import the key in the first place and fail hard, as opposed
to importing it and ignoring the requested constraint.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090315/dc66b27f/attachment-0002.pgp 


More information about the pkg-gnome-maintainers mailing list