openssh bugs - Apr 2011 - [Bug 1893] New: change ssh-keisign to setgid from setuid

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

           Summary: change ssh-keisign to setgid from setuid
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: jchadima at redhat.com


the setgid programs are potentially less dangerous than setuid ones.

the only setuid program in the openssh suite is ssh-keysign. It need to
access private server keys.

The solution is to create one dedicated group (ssh_keys).
The keys then should be rw-r---- root:ssh_keys
The ssh-keysign should be setgid ssh_keys
And finally authfile.c should be patched to accept such keys.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

--- Comment #1 from jchadima at redhat.com 2011-04-22 07:17:21 EST ---
Created attachment 2035
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2035
patch solving the problem

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

Jim Knoble <jmknoble at pobox.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jmknoble at pobox.com

--- Comment #2 from Jim Knoble <jmknoble at pobox.com> 2011-04-22 08:20:51
EST ---
So how is this supposed to work in practice?  Change everyone's home
directory to be mode 0710 group ssh_keys?

Why is the "ssh_keys" group hard-coded in authfile.c?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

jchadima at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jchadima at redhat.com

--- Comment #3 from jchadima at redhat.com 2011-04-22 14:49:49 EST ---
No, home directories no not need change.
Only change is on the server private keys.

The hard-coded server keys are for the security reasons.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
            Summary|change ssh-keisign to       |change ssh-keysign to
                   |setgid from setuid          |setgid from setuid
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #4 from Damien Miller <djm at mindrot.org> 2011-06-03 10:41:24
EST ---
I don't think there is much point to getting rid of the setuid bit on
ssh-keysign. There are only 12 lines of code executed before dropping
privileges and these are clearly quite safe.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> 2011-09-06 15:33:02
EST ---
close resolved bugs now that openssh-5.9 has been released

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

Jan F. Chadima <jfch at jagda.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jfch at jagda.eu

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1893

Edward Z. Yang <ezyang at mit.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ezyang at mit.edu

--- Comment #6 from Edward Z. Yang <ezyang at mit.edu> 2012-05-29 05:18:25
EST ---
I am confused why this bug is closed WONTFIX, as the ssh_keys group
appears to have made its way into recent Fedora.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.