Ben Lindstrom
2002-Jul-03 12:54 UTC
--{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0
It ws removed because RhostAuth is the only thing depending on it, and it was felt if you want to use the feature (which is not recommented) that you can setuid it yourself. HostBased Authentication is now handled by ssh-keysign which is setuid instead. Much smaller amount of code to audit. - Ben On Wed, 3 Jul 2002, Robert Dahlem wrote:> Hi, > > According to ChangeLog someone "(bal)" removed -{enable/disable}-suid-ssh > from configure (dating from 2002/06/07). Don't know the reason, probably > this has something to do with PrivilegeSeparation. > > Consequence is: Users with UID != 0 are no longer able to allocate > privileged ports, sshd answers "Rhosts Authentication disabled, > originating port will not be trusted". Bang, there they sit. :-) > > Ok, "chmod u+s ssh scp" does help as first aid. > > My question is: Is SUID on ssh/scp considered dangerous? Are there other > reasons one should avoid this? > > Regards, > Robert > > > -- > Robert.Dahlem at siemens.com > Siemens Business Services - FS GF KORDOBA-Outsourcing > Tel: +49-69-797-6530 Fax: +49-69-797-6599 > ---------------------------------------------------------------------- > Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email > software; far better than Outlook. Try it sometime. > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
Robert Dahlem
2002-Jul-03 12:54 UTC
--{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0
Hi,
According to ChangeLog someone "(bal)" removed
-{enable/disable}-suid-ssh
from configure (dating from 2002/06/07). Don't know the reason, probably
this has something to do with PrivilegeSeparation.
Consequence is: Users with UID != 0 are no longer able to allocate
privileged ports, sshd answers "Rhosts Authentication disabled,
originating port will not be trusted". Bang, there they sit. :-)
Ok, "chmod u+s ssh scp" does help as first aid.
My question is: Is SUID on ssh/scp considered dangerous? Are there other
reasons one should avoid this?
Regards,
Robert
--
Robert.Dahlem at siemens.com
Siemens Business Services - FS GF KORDOBA-Outsourcing
Tel: +49-69-797-6530 Fax: +49-69-797-6599
----------------------------------------------------------------------
Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email
software; far better than Outlook. Try it sometime.
Markus Friedl
2002-Jul-03 13:03 UTC
--{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0
On Wed, Jul 03, 2002 at 02:54:36PM +0200, Robert Dahlem wrote:> Ok, "chmod u+s ssh scp" does help as first aid.please don't set add an s-bit to scp, as it allows everyone on your system to overwrite all files.> My question is: Is SUID on ssh/scp considered dangerous? Are there other > reasons one should avoid this?1) rhosts authentication should be avoided 2) only rhosts-rsa authentication needs an sbit. a privileged port is just needed for older sshd servers 3) hostbased authentication in protocol 2 does not need a sbit on ssh, they use ssh-keysign instead. -m