Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Sep 2001 15:07:48 -0500
From:      Tony Wells <tony@camel.kdsi.net>
To:        Greg Black <gjb@gbch.net>
Cc:        questions@FreeBSD.ORG
Subject:   Re: Avoiding passwords with ssh under 4.3R
Message-ID:  <3BA11214.500E232A@camel.kdsi.net>
References:  <nospam-1000238233.80909@mx.gbch.net> <3B9F9263.71665CAA@camel.kdsi.net> <nospam-1000350058.50298@mx.gbch.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Greg Black wrote:
> 
> Message re-formatted in the accepted format.  Please don't just
> stick comments on the top of a quoted message.
> 
> Tony Wells wrote:
> 
> | Greg Black wrote:
> |
> | > I have recently installed 4.3-RELEASE on a system which needs
> | > ssh access to a couple 4.2-R boxes.  I copied the ssh_config and
> | > sshd_config files from the 4.2 boxes to the new system.
> | >
> | > From the 4.2 boxes, I can ssh to any system without a password,
> | > but from the 4.3 box I am prompted for a password on every
> | > system, including the 4.3 box itself.
> | >
> | > The other anomaly is that root can ssh out to all hosts from the
> | > 4.3 box without a password; the password requirement is limited
> | > to non-root users.
> | >
> | > If anybody can tell me what I've missed in order to ssh out of
> | > that 4.3 box as an ordinary user without having to type a
> | > password, I'd be delighted.
> |
> | It sounds like you're looking for RSA/DSA based authentication, for
> | version 1 and 2 respectively.  On your new box, you probably don't have
> | a key installed for the user that the server you're ssh'ing to
> | recognizes.
> 
> The thing is that it was /not/ looking for the authentication I
> wanted unless it was run by root.  As was made clear in the
> information above, it was nothing to do with keys.
>

You never made it clear what form of authentication you are using.
 
> The following line did not appear in the debug log (it just went
> straight to password authentication):
> 
>     Trying rhosts or /etc/hosts.equiv with RSA host authentication
> 
> | If you 'man ssh' there is a pretty clear explantion on how to get this
> | going.
> 
> If that was true, I would not have asked the question.
> 
> Anyway, I have discovered why it did not work under 4.3-R -- for
> some reason /usr/sbin/ssh is not setuid root as it is on the 4.2
> boxes.
> 
> My real question then is: why was this change made, since it
> appears to break ssh operation?  And, for extra points, it there
> any reason why I should not restore the setuid bit on ssh?

http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/book.html#SSH-SHOSTS

8.43. Why doesn't SSH authentication through .shosts work by default in
recent versions of FreeBSD?

The reason why .shosts authentication does not work by default in more
recent versions of FreeBSD is because ssh(1) is not installed suid root
by default. To ``fix'' this, you can do one of the
following:

As a permanent fix, set ENABLE_SUID_SSH to true in /etc/make.conf and
rebuild ssh (or run make world).
 
As a temporary fix, change the mode on /usr/bin/ssh to 4555 by running
chmod 4755 /usr/bin/ssh as root. Then add ENABLE_SUID_SSH= true to
/etc/make.conf so the change takes effect the next time make world is
run.

<end website quote>

The reason this was changed is *suid root is a bad thing.*  It is a
necessary evil, but evil nonetheless.  Anything that gives unprivileged
users processes running as root can be a security hazard, as buffer
overrun attacks can lead to elevated privilege.  It breaks shost
authentication, but I guess that was an acceptable trade-off.

The reason not to restore suid root on ssh is mentioned in the above
paragraph, it just depends on how paranoid you are.  RSA/DSA auth will
work without having ssh suid root.

> 
> Please address replies to me as well as the list, as I'm not
> currently subscribed.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA11214.500E232A>