Bug#211305: ssh: Hostbased authentication broken after security upgrade

[Marc Singer <elf@buici.com>]

On Wed, Sep 17, 2003 at 12:54:58AM +0100, Colin Watson wrote:
> On Tue, Sep 16, 2003 at 04:32:12PM -0700, Marc Singer wrote:
> > Package: ssh
> > Version: 1:3.4p1-1.1
> > Followup-For: Bug #211305
> > 
> > Upgraded a group of machines that used hostbased authentication for
> > password-less ssh logins.  Review of ssh -vvv output doesn't explain
> > loss of functionality.  The only file in /etc/ssh changed by the
> > upgrade is the host_key.
> 
> You were running the hostbased-auth-fixed version in proposed-updates,
> which has not yet been upgraded. The stable release manager has refused
> to install that version into stable.

I don't believe so.  This machine was installed from stable and only
from stable.

> This has nothing to do with the security update.

The problem, it turns out, was that the upgrade changed the
permissions on usr/bin/ssh.  In order to use the host-based
authentication, ssh must be run as root so it can use a priviledged
port.

IIRC, the ssh package has, in the past asked if the user want to set
the executable's sticky bit.  It seems reasonable to maintain the
functionality of the existing installation on upgrade by detecting the
sticky bit in the original and setting it again for the new
executable.  Recognizing that this is a major headache, I assume it
won't be done.

Cheers.