On Wed, Nov 20, 2024 at 05:44:12PM +0300, Alexander Kulak wrote: > When an SSH client connects with the `-v` option for verbose logging, > the OpenSSH server discloses the full path to the `authorized_keys` file > and specific key options in use. This information is exposed in the > debug logs during the handshake process: > > debug1: Remote: /...path.../authorized_keys:1: key options: command > debug1: Remote: /...path.../authorized_keys:1: key options: > agent-forwarding port-forwarding pty user-rc x11-forwarding > > This behavior can undermine the security of a restricted shell setup by > revealing sensitive configuration details. > > Steps to Reproduce: > 1. Connect to the SSH server using an SSH client with the `-v` option. > 2. Observe the debug output revealing the full path and key options. > > Expected Behavior: > The server should not disclose sensitive information such as file paths > or specific key options in verbose logs, preserving configuration > confidentiality.
Would you mind please reporting this upstream? See https://www.openssh.com/report.html for instructions. Sometimes I do this myself, but in cases where I don't entirely agree with parts of the bug report, it's better for people to do it themselves so that they can have a direct discussion with upstream as needed. (In particular, I'm personally not quite convinced that paths to authorized_keys files really count as sensitive configuration details, though I can see that you might consider key options to be.) Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]
