On Sun, 7 Jun 2020 at 03:57, Harald Dunkel <harald.dunkel at aixigo.com>
wrote:> I wonder why EnableSSHKeysign is disabled by default. Does it hurt
> somehow?
It enables the ssh-keysign helper which is setuid root but unneeded by
the vast majority of users. Disabling it by default is a risk
mitigation strategy: if there's ever a bug in it or it can be
otherwise abused then it's likely that the majority of installations
will not be impacted.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.