Date: Sun, 3 Sep 2000 01:03:49 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Brian Somers <brian@Awfulhak.org> Cc: Kris Kennaway <kris@FreeBSD.org>, "Jacques A. Vidrine" <n@nectar.com>, Poul-Henning Kamp <phk@critter.freebsd.dk>, Dan Nelson <dnelson@emsphone.com>, sthaug@nethelp.no, ume@FreeBSD.org, arch@FreeBSD.org Subject: Re: setuid ssh should die Message-ID: <20000903010349.A41415@mithrandr.moria.org> In-Reply-To: <200009022257.e82MvK775931@hak.lan.Awfulhak.org>; from brian@Awfulhak.org on Sat, Sep 02, 2000 at 11:57:20PM %2B0100 References: <brian@Awfulhak.org> <200009022257.e82MvK775931@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat 2000-09-02 (23:57), Brian Somers wrote: > > > On Sat, 2 Sep 2000, Brian Somers wrote: > > > > > > > What do people reckon then (-arch cc'd) ? I'll add > > > > > > > > #ENABLE_SUIDSSH= true > > > > > > > > to etc/defaults/make.conf then mention it in ssh_config and make the > > > > adjustment to the ssh build so that it defaults to *not* being suid. > > > > > > I have no problems making ssh non-suid by default since most people dont > > > use RhostsRSAAuthentication. > > > > > > Since I have ssh changes in the works please send me the patches and I'll > > > apply them after the upgrade. Please add information to the manpage on how > > > to fix it, and a helpful error telling them what to do when the user tries > > > to use it. > > > > That's no problem, except for the ``helpful error'' bit. I don't > > think ssh should attempt to interpret the failure to bind a socket. > > The perror() should be sufficient in my book. > > Wait... I'm missing something here. It seems that ssh will exec rsh > when FallBackToRsh is enabled. It therefore doesn't need root for > anything I know of. > > Can anybody enlighten me ? RhostsRSAAuthentication is for .rhosts-like authentication, except that there is authentication of the host. You put the host key in /etc/known_hosts, and the hostname in /etc/shosts, and when someone claims to be that host, you compare to the public key in known_hosts, and if they match, you let their authentication succeed. Of not, obviously, it kvetches. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000903010349.A41415>