Audit ssh attack surface for CVE-2026-35414 OpenSSH commas-in-cert-principals #71
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#71
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally filed by @coilysiren on 2026-05-03T19:53:52Z - https://github.com/coilysiren/infrastructure/issues/90
CVE-2026-35414 surfaced in TLDR (2026-04-28): a 15-year-old OpenSSH bug where a code-reuse error allows commas in SSH certificate principals, breaking principal-based authorization. Worth a quick audit because
coily ssh kai-serveris the daily privileged path into the homelab.What to check
kai-servervs the CVE's affected range.ssh -Vlocally andssh kai-server 'sshd -V 2>&1 || /usr/sbin/sshd -V 2>&1'.principalsconstraints, or just plain authorized_keys. If it's authorized_keys only, this CVE is not exploitable here. (Pretty sure it's the latter, but verify.)Relation to gauntlet
Tangentially related, not a direct gauntlet trial:
coilysiren/gauntletto seed an attacker plan template around delimiter injection in identity fields.Other items from the same TLDR (lower priority, not blocking)
Source
TLDR newsletter, dan@tldrnewsletter.com, 2026-04-28. Item titled "15-Year OpenSSH Root Bug, Checkmarx GitHub Breach, CloudFlare AI Reviews At Scale."
Moved from coilysiren/coilyco-ai#23.
Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag:
burndown-2026-06.