#21 SEVERE: allow_user_owned_authorized_keys_file permits privilege escalation

[Andrew Gallagher]

The option "allow_user_owned_authorized_keys_file" is very dangerous, and should be removed from the code as it has no reasonable use case. This is because the test for privilege escalation (the authorized keys file) can be modified without first passing the test, which permits an unauthenticated escalation.

Consider sudo. If an attacker was able to gain code execution ability as a user, and that user owned his authorized keys file, the attacker could simply replace the authorized keys file with one of his choosing and then sudo at will. This reduces sudo security to the equivalent of "NOPASSWD".

For the same reason, not only should the authorized keys file be owned by root, but neither it nor any containing directory (up to the root) should be writable by anybody other than root.

For any operation on the remote server that normally requires local authentication (e.g. passwd, chfn, ...), enabling allow_user_owned_authorized_keys_file is security-equivalent to not requiring authentication, by the same argument. The only use case where escalation is not a danger is remote login, but sshd implements this natively, and no other remote login method has ssh-agent available to it at authentication time.