Re: gitolite security issue. 6.6.4 ssh ARGV=admin
1,298 views
Skip to first unread message
Sitaram Chamarty
Oct 14, 2016, 11:19:59 AM10/14/16
to David, gito...@googlegroups.com
On Fri, Oct 14, 2016 at 04:52:20PM +0200, David wrote:
>Hi sitaramc
>
>I only write to you because i do believe this is a security issue.
I believe I was very careful to say, in every place that my
contact info is listed, that if you believe you have found a
security issue, please contact me privately. (This is standard
practice for security, by the way; it's not just me trying to
cover my ass!)
>I am able to use my key for one repo in order to clone gitolite-admin repo
>when i should not have permission to it.
>
>There is NO WAY that ssh ARGV= should be able to change from what is listed
>on the authorized_keys file to admin.
>
>I posted my full report to serverfault.
>
>http://serverfault.com/questions/809070/gitolite-admin-denied-by-fallthru
I suggest you add the word "IdentitiesOnly" to your ~/.ssh/config
and try again. Kill ssh-agent, keychain, or any of those kinds
of beasts also and restart them, adding only the "bob" key.
For good measure, move the admin private key out of the box
completely.
(Now, if you're saying you get access as admin when the box only
has bob's key, then we are all in deep shit...)
>Hi sitaramc
>
>I only write to you because i do believe this is a security issue.
I believe I was very careful to say, in every place that my
contact info is listed, that if you believe you have found a
security issue, please contact me privately. (This is standard
practice for security, by the way; it's not just me trying to
cover my ass!)
>I am able to use my key for one repo in order to clone gitolite-admin repo
>when i should not have permission to it.
>
>There is NO WAY that ssh ARGV= should be able to change from what is listed
>on the authorized_keys file to admin.
>
>I posted my full report to serverfault.
>
>http://serverfault.com/questions/809070/gitolite-admin-denied-by-fallthru
I suggest you add the word "IdentitiesOnly" to your ~/.ssh/config
and try again. Kill ssh-agent, keychain, or any of those kinds
of beasts also and restart them, adding only the "bob" key.
For good measure, move the admin private key out of the box
completely.
(Now, if you're saying you get access as admin when the box only
has bob's key, then we are all in deep shit...)
Reply all
Reply to author
Forward
0 new messages