I'm not happy with ssh being setuid root. I know that the long-term goal is to have a seperate host-key-management process, but that is a ways off. Until then, I'd like to propose the following: - Allow ssh to read alternate key files. This would allow the ssh client to use keyfiles different from the ones sshd uses. I know that this can be done now by changing the ones sshd uses, but I'd rather make ssh the special case. - Allow said key files to be group readable Changing authfile.c:key_perm_ok() to allow group readable keys would allow us to make ssh setgid instead of setuid. Yes, this is insecure if someone is stupid enough to export their key files via NFS or some other such sillyness, but is safe for sane admins. If we do both of the above, ssh can be setgid ssh, and optionally use different keys for client and server identification. Host-based auth now works without a root-priveledged client. Damage from a security issue in ssh is limited to spoofing a trusted host, instead of total system compromise. I'm happy to write the code changes, but wanted to run this up the flagpole first to see if there was strong resistance. -- Carson
On Fri, May 04, 2001 at 02:18:10AM -0700, Carson Gaspar wrote:> - Allow ssh to read alternate key files.i'm not sure about this one. you want to force ssh to read arbitraty key files and produce valid signatures with random files.> - Allow said key files to be group readablewe've been discussion a setgid ssh earlier, but decided that it's not the way to go. however, i think about moving the client side of hostbased authentication out of ssh, to a setuid binary /usr/libexec/ssh-keysign and remove the sbit from ssh. ssh-keysign will read the hostkeys and generate a valid signature. this won't work for rhosts-rsa, but there is no need to use rhosts-rsa if hostbased authentication works. if you really need to support protocol 1 with rhosts-rsa, you can turn on the sbit again for ssh. -m
Apparently Analagous Threads
- --{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?