/root/.ssh/authorized_keys with "pluto-generated key"???

[Zaerc]

After installing 1.1 0704 I found this file: /root/.ssh/authorized_keys containing what appears to be a "pluto-generated key".

I'm kind of curious to know what this is doing on my freshly installed linuxmce system considering the implications it might have as a possible security breach. 

[Hoochster]

I am PURELY guessing, since I haven't been able to get the sw yet due to the torrents not kicking in yet.  But I would think if you installed the Image DVD then you are using an image they installed and probably connected to, hence why there is knowledge of a connection.  You should be able to delete it.  I would hope that isn't there if you download the CD version and install yourself. 

Again, pure speculation.  Being as they mentioned the DVD was an IMAGE of a system already installed.

[Zaerc]

This is on a system installed from the 2 CDs (1.1-0704), not of the DVD.  And you bet I removed this file, eventho the ssh port isn't be reachable from the outside directly.  The key in question:

Code:

ssh-dss AAAAB3NzaC1kc3MAAACBAJ8sSrbCngqGbhAMeMLZba+3077Ecr4B/BPwMk4xaC68OOzvpUEl
Lxmdt1L2xvRpTcvgfnPCURNsKKTdtdrdwy52DGNLJru2eeMngCsUdRW3BC/DVPqZ0GFLMS2x+qyUDakI
rIJrO0tGdwbmyME/fbEpClJeJlwIsgbwi09XXTErAAAAFQDcse/mTK0+yGFU/SjHvKnUTVylNwAAAIBi
b3evacUvb28Ar5B1IHtL9JBITIqfKXHJvi9IrCCFr0w+z98EsyoR90zAGTWaTxfkjHb5fjuPeVrfijsb
1D2D4TS+NJdeBJOw6eNAYXbzVMV5D7FDPnnKemqNKwNhdDfrtfPA5rK3LIgpN6e2lEmFGl9KtfXVIXM/
ZQzESam/9wAAAIAr8t9CxZCX3yqo8MMko7JVs5tFRUrneBS9Ked3k46iqdmhC3pSZOKWRC8iEV8LVNGv
gjvZa5aqBvLBRsCDUGhWgM6wMjtelyHd7Q8LkYBtBtXd+k46JqGL1htGauuH9TNIoVbBH6U+XKSeuOaX
eW+L2SLqSsgRwBgvD6ZrfU+ITA== Pluto auto-generated key

[Hoochster]

Doh!  Then ya, that kinda makes me leary as well heh.

This is on a system installed from the 2 CDs (1.1-0704), not of the DVD.  And you bet I removed this file, eventho the ssh port isn't be reachable from the outside directly.  The key in question:

Code:

ssh-dss AAAAB3NzaC1kc3MAAACBAJ8sSrbCngqGbhAMeMLZba+3077Ecr4B/BPwMk4xaC68OOzvpUEl
Lxmdt1L2xvRpTcvgfnPCURNsKKTdtdrdwy52DGNLJru2eeMngCsUdRW3BC/DVPqZ0GFLMS2x+qyUDakI
rIJrO0tGdwbmyME/fbEpClJeJlwIsgbwi09XXTErAAAAFQDcse/mTK0+yGFU/SjHvKnUTVylNwAAAIBi
b3evacUvb28Ar5B1IHtL9JBITIqfKXHJvi9IrCCFr0w+z98EsyoR90zAGTWaTxfkjHb5fjuPeVrfijsb
1D2D4TS+NJdeBJOw6eNAYXbzVMV5D7FDPnnKemqNKwNhdDfrtfPA5rK3LIgpN6e2lEmFGl9KtfXVIXM/
ZQzESam/9wAAAIAr8t9CxZCX3yqo8MMko7JVs5tFRUrneBS9Ked3k46iqdmhC3pSZOKWRC8iEV8LVNGv
gjvZa5aqBvLBRsCDUGhWgM6wMjtelyHd7Q8LkYBtBtXd+k46JqGL1htGauuH9TNIoVbBH6U+XKSeuOaX
eW+L2SLqSsgRwBgvD6ZrfU+ITA== Pluto auto-generated key

[elspic]

Same thing on the DVD install. -Ruben

[sp00nhead]

From what i can remember using pluto, its the key used for the Remote assist

[webpaul1]

This could be a left-over from that I didn't catch.  Sorry.  Let me check on this.  I did leave in the pluto remote assistance thing because pluto said it could be used by any 3rd party companies that wanted to offer tech support.  Let me dig some more and be sure I didn't leave in anything that's a security risk.

[webpaul1]

This should not be a problem.  I talked to the Pluto guy who wrote it.  It's not a backdoor, and neither Pluto nor anyone else will have the corresponding private key.

the key is auto-generated at install time for each installation and the purpose is to allow media directors to have ssh access to the main box so that they can do things like modify their boot sequence, access teh database, etc.  It's not a common key, and nobody else has the private key, except the media directors.  The key is unique for each install and generated on the fly when it install time in these scripts:

BootScripts/SSH_Keys.sh
ssh-keygen -t dsa -C "Pluto auto-generated key" -f $Dir/$Key -P ""

And the corresponding key is put on the media directors in their boot images.  This sounds correct and should make it safe.  Please confirm that we're all in agreement that this is ok and not a cause for concern.  I was in a bit of a panic mode since I ordered 1,000 replicated dvd's from a mastering house (linuxmce is now sending out dvd's), and obviously if they have any back doors or security holes I have to stop the order and get it fixed.  So can you guys post replies confirming we're in consensus that this is not a problem?

[Zaerc]

Well I'm glad I wasn't screaming back-door then, my foot doesn't taste that great you know.   And my appologies for startling you, that was not my intention.

It seems to me like a very legitimate use of that mechanism, I don't see much of a problem with that.  And unless other people found the exact same key I posted, I'd consider this a total non-issue.  Thanks for clearing it up.

[sp00nhead]

Maybe for the Next release we could re-name it to something more line "LMCE Internal" or something more suitable