Bug#211334: Option to have ssh client installed setuid root
On Wed, Sep 17, 2003 at 02:22:56PM +1000, Peter Harvey wrote:
> Package: ssh
> Version: 3.4p1-1.1
>
> It would be nice if there was a debconf entry for setting the ssh client
> to be setuid root. This is required for hostbased authentication, and it
> is annoying to remember this detail when there is an upgrade for ssh
> (like the recent security patch).
Is there a problem with this already-existing question?
Template: ssh/SUID_client
Type: boolean
Default: true
Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
You have the option of installing the ssh-keysign helper with the SUID
bit set.
.
If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
host-based authentication.
.
If in doubt, I suggest you install it with SUID. If it causes
problems you can change your mind later by running: dpkg-reconfigure ssh
> >From http://www.openssh.org/faq.html#2.2 :
>
> [For] hostbased authentication (in protocol version 2) the ssh client
> needs to access the private host key in order to authenticate the client
> machine to the server. So the setuid root bit is needed for these
> authentication methods, too. You can safely remove the setuid bit from
> the ssh executable if you don't want to use these authentication
> methods.
I think that's out of date. Note that ssh-keysign was broken in
1:3.4p1-1.1, but this is fixed in 1:3.4p1-1.woody.2.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: