Bug#211334: marked as done (Option to have ssh client installed setuid root)
Your message dated Thu, 18 Sep 2003 02:13:58 +0100
with message-id <20030918011358.GA18045@riva.ucam.org>
and subject line Bug#211334: Option to have ssh client installed setuid root
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Sep 2003 04:23:21 +0000
>From pah06@uow.edu.au Tue Sep 16 23:23:04 2003
Return-path: <pah06@uow.edu.au>
Received: from ziz.its.uow.edu.au [130.130.68.16]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19zTqH-0000xL-00; Tue, 16 Sep 2003 23:23:01 -0500
Received: from ziz (localhost [127.0.0.1])
by ziz.its.uow.edu.au (8.12.9/8.12.9) with ESMTP id h8H4MwcH022761
for <submit@bugs.debian.org>; Wed, 17 Sep 2003 14:22:59 +1000 (EST)
Received: from chac.its.uow.edu.au ([130.130.37.3])
by ziz.its.uow.edu.au (MailMonitor for SMTP v1.2.2 ) ;
Wed, 17 Sep 2003 14:22:58 +1000 (EST)
Received: (from sendmail@localhost)
by chac.its.uow.edu.au (8.12.9/8.12.9) id h8H4Mws5026275
for <submit@bugs.debian.org>; Wed, 17 Sep 2003 14:22:58 +1000 (EST)
Received: from samwise.dsl.uow.edu.au (samwise.dsl.uow.edu.au[130.130.66.26])
by chac.its.uow.edu.au (UWSMTPD 1.5.0)
with ESMTP id 6807969.26271;
Wednesday, 17 September 2003 14:22:57 +1000
Subject: Option to have ssh client installed setuid root
From: Peter Harvey <pah06@uow.edu.au>
To: submit@bugs.debian.org
Content-Type: text/plain
Organization: SITACS, University of Wollongong
Message-Id: <[🔎] 1063772576.901.8.camel@localhost>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.4
Date: Wed, 17 Sep 2003 14:22:56 +1000
Content-Transfer-Encoding: 7bit
X-MessageID: 6807969.26271
X-EnvelopeFrom: <pah06@uow.edu.au> 6807969.26271
X-EnvelopeTo: <submit@bugs.debian.org> 6807969.26271
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-4.0 required=4.0
tests=BAYES_60,HAS_PACKAGE
version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)
Package: ssh
Version: 3.4p1-1.1
It would be nice if there was a debconf entry for setting the ssh client
to be setuid root. This is required for hostbased authentication, and it
is annoying to remember this detail when there is an upgrade for ssh
(like the recent security patch).
>From http://www.openssh.org/faq.html#2.2 :
[For] hostbased authentication (in protocol version 2) the ssh client
needs to access the private host key in order to authenticate the client
machine to the server. So the setuid root bit is needed for these
authentication methods, too. You can safely remove the setuid bit from
the ssh executable if you don't want to use these authentication
methods.
Thanks, and great work btw,
Peter Harvey.
---------------------------------------
Received: (at 211334-done) by bugs.debian.org; 18 Sep 2003 01:14:01 +0000
>From cjwatson@flatline.org.uk Wed Sep 17 20:14:00 2003
Return-path: <cjwatson@flatline.org.uk>
Received: from tungsten.btinternet.com [194.73.73.81]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19znMt-0005Rp-00; Wed, 17 Sep 2003 20:13:59 -0500
Received: from host81-129-36-235.in-addr.btopenworld.com ([81.129.36.235] helo=riva.lab.dotat.at)
by tungsten.btinternet.com with esmtp (Exim 3.22 #23)
id 19znMt-0006wt-00
for 211334-done@bugs.debian.org; Thu, 18 Sep 2003 02:13:59 +0100
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
for 211334-done@bugs.debian.org
id 19znMs-0004hq-00; Thu, 18 Sep 2003 02:13:58 +0100
Date: Thu, 18 Sep 2003 02:13:58 +0100
From: Colin Watson <cjwatson@debian.org>
To: 211334-done@bugs.debian.org
Subject: Re: Bug#211334: Option to have ssh client installed setuid root
Message-ID: <20030918011358.GA18045@riva.ucam.org>
References: <[🔎] 1063772576.901.8.camel@localhost> <[🔎] 20030917232515.GC14314@riva.ucam.org> <[🔎] 1063847181.909.9.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 1063847181.909.9.camel@localhost>
User-Agent: Mutt/1.3.28i
Delivered-To: 211334-done@bugs.debian.org
X-Spam-Status: No, hits=-5.7 required=4.0
tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT
version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)
On Thu, Sep 18, 2003 at 11:06:22AM +1000, Peter Harvey wrote:
> On Thu, 2003-09-18 at 09:25, Colin Watson wrote:
> > If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
> > host-based authentication.
> >
> > > >From http://www.openssh.org/faq.html#2.2 :
> >
> > I think that's out of date. Note that ssh-keysign was broken in
> > 1:3.4p1-1.1, but this is fixed in 1:3.4p1-1.woody.2.
>
> All I can say is that hostbased authentication refused to work for me
> with fairly recent packages, even with ssh-keysign suid. If I set ssh to
> suid root it immediately started working.
Yes, ssh-keysign is only used if ssh is not setuid, so a completely
broken ssh-keysign - as in 1:3.4p1-1.1 and earlier - means you need a
setuid ssh.
> You are right though: the latest packages (1:3.4p1-1.woody.2) work
> properly without having ssh suid. So this bug is now dead.
Great, thanks for the confirmation. Closing.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: