Bug#211305: ssh: Hostbased authentication broken after security upgrade
On Tue, Sep 16, 2003 at 05:20:15PM -0700, Marc Singer wrote:
> On Wed, Sep 17, 2003 at 12:54:58AM +0100, Colin Watson wrote:
> > You were running the hostbased-auth-fixed version in proposed-updates,
> > which has not yet been upgraded. The stable release manager has refused
> > to install that version into stable.
>
> I don't believe so. This machine was installed from stable and only
> from stable.
Ah right, fair enough. The hostbased auth thing is uppermost in my mind
at the moment ...
> > This has nothing to do with the security update.
>
> The problem, it turns out, was that the upgrade changed the
> permissions on usr/bin/ssh. In order to use the host-based
> authentication, ssh must be run as root so it can use a priviledged
> port.
>
> IIRC, the ssh package has, in the past asked if the user want to set
> the executable's sticky bit. It seems reasonable to maintain the
> functionality of the existing installation on upgrade by detecting the
> sticky bit in the original and setting it again for the new
> executable. Recognizing that this is a major headache, I assume it
> won't be done.
Oh, in that case you ought to use dpkg-statoverride to set the
permissions so that they're preserved across upgrades. (And isn't it
ssh-keysign these days anyway?)
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: