Home |
Licence |
FAQ |
Docs |
Download |
Keys |
Links
Mirrors |
Updates |
Feedback |
Changes |
Wishlist |
Team
This issue corresponds to CVE-2006-7162. (Note that some versions of the advisories for this issue incorrectly state that 0.59 is vulnerable. For the avoidance of doubt, this issue only affects 0.58 and prior, and only the Unix version.)When i run puttygen (either to create a new key, or to translate an openssh-style key), the emitted ppk file (the putty private key) is created with the standard umask, which by default in debian leaves things world-readable.
this is in contrast to ssh-keygen from the openssh suite, which creates private keys with group and other permissions all off, no matter what the current umask.
I think that ssh-keygen's approach is what people expect and intend when it comes to public keys, and it's a better idea to make these things safe-by-default.
Audit trail for this bug.