On Tue, Sep 11, 2018 at 07:18:23PM -0600, Chris Murphy wrote:
I've filed a gnome-shell bug (see link below) for a change in
dialog I see when connecting to an ssh server using public key
authentication. The Fedora 28 dialog shows the key name, the Fedora 29
dialog is generic, I can only guess by time proximity what I'm
entering the passphrase for.
Question is whether this constitutions an "important" security bug or
higher. The bug has screenshots for both the F28 and F29 dialogs in
I would not classify it as "Important impact" or "Crititcal impact",
even triggering that dialog requires access as a local user.
I'd also not consider it as a "Moderate impact", as it only happens as a
result of a user action and should not leak any information. (the key
fingerprint is transmitted to the server even before the password is
Therefore (in my personal opinion) I'd classify it as a "Low impact"
issue, as it might be a warning sign if an unexpected key is accepted by
the server. (Even then there should be a hostkey mismatch warning, but
the RedHat security rating also allows for unlikely circumstances)