[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#211305: ssh: Hostbased authentication broken after security upgrade

On Tue, Sep 16, 2003 at 05:20:15PM -0700, Marc Singer wrote:
> On Wed, Sep 17, 2003 at 12:54:58AM +0100, Colin Watson wrote:
> > You were running the hostbased-auth-fixed version in proposed-updates,
> > which has not yet been upgraded. The stable release manager has refused
> > to install that version into stable.
> 
> I don't believe so.  This machine was installed from stable and only
> from stable.

Ah right, fair enough. The hostbased auth thing is uppermost in my mind
at the moment ...

> > This has nothing to do with the security update.
> 
> The problem, it turns out, was that the upgrade changed the
> permissions on usr/bin/ssh.  In order to use the host-based
> authentication, ssh must be run as root so it can use a priviledged
> port.
> 
> IIRC, the ssh package has, in the past asked if the user want to set
> the executable's sticky bit.  It seems reasonable to maintain the
> functionality of the existing installation on upgrade by detecting the
> sticky bit in the original and setting it again for the new
> executable.  Recognizing that this is a major headache, I assume it
> won't be done.

Oh, in that case you ought to use dpkg-statoverride to set the
permissions so that they're preserved across upgrades. (And isn't it
ssh-keysign these days anyway?)

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: