Package: openssh-client Version: 1:9.5p1-2 Severity: normal Tags: upstream https://blog.thc.org/infecting-ssh-public-keys-with-backdoors
The above web page describes how to exploit systems via the athorized_keys file and purports to describe how to hide backdoors in ~/.ssh/id_*.pub, the only way that second claim could be valid is by using ssh-copy-if to blindly copy a .pub file that has the command= string in question installed. To address this sort of thing (and also to prevent needless confusion from less hostile uses of command=) I think ssh-copy-id should either warn about the use of command= in the source file or copy a sanitised version unless explicitely told to copy that with an optional parameter. -- System Information: Debian Release: trixie/sid Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-5-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages openssh-client depends on: ii adduser 3.137 ii libc6 2.37-13 ii libedit2 3.1-20230828-1 ii libfido2-1 1.14.0-1 ii libgssapi-krb5-2 1.20.1-5 ii libselinux1 3.5-1+b1 ii libssl3 3.1.4-2 ii passwd 1:4.13+dfsg1-3 ii zlib1g 1:1.3.dfsg-3 Versions of packages openssh-client recommends: ii xauth 1:1.1.2-1 Versions of packages openssh-client suggests: pn keychain <none> ii ksshaskpass [ssh-askpass] 4:5.27.9-1 pn libpam-ssh <none> pn monkeysphere <none> -- debconf-show failed