[Bug 524226] Re: ssh-import-id: retrieve a key from a public keyserver and add to the authorized_keys file

[Jamie Strandboge]

I couldn't remember if wget would error out on an invalid certification, but reading the man page for wget, it seems that as long as wget is compiled with openssl, it will error out (good).
"As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails.  Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates."

I do also want to mention that most of the coding issues I brought up
are not significant in the expected usage of a regular user running the
command and giving the appropriate options (ie, it is a lot easier to
just create a directory with authorized_keys in it rather than
subverting this script). Running as root brings a few more concerns, but
really it is if/when this script becomes part of a larger system that
the issues I pointed out can become serious. Since we don't know how
people will be using it, IMHO it is important to program as defensively
as possible.

I think it's vitally important to enforce https and to validate the new
authorized_keys file, ideally with fingerprint and confirmation (and
what about ssh-vulnkey for good measure? Perhaps overkill, but certainly
doable).

-- 
ssh-import-id: retrieve a key from a public keyserver and add to the authorized_keys file
https://bugs.launchpad.net/bugs/524226
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.