Date: Fri, 20 Aug 2004 09:18:27 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Dag-Erling Smorgrav <des@des.no> Cc: freebsd-current@freebsd.org Subject: Re: suid bit sshd Message-ID: <20040820141827.GD8165@dan.emsphone.com> In-Reply-To: <xzpy8ka3yco.fsf@dwp.des.no> References: <200408131332.09164.ilkerozupak@yahoo.com> <20040813104934.GL87690@submonkey.net> <200408131436.12750.ilkerozupak@yahoo.com> <20040813153607.GF4198@dan.emsphone.com> <20040820114001.R28976@mp2.macomnet.net> <xzpy8ka3yco.fsf@dwp.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 20), Dag-Erling Smorgrav said: > Maxim Konovalov <maxim@macomnet.ru> writes: > > DES, is it OK to commit a following patch? Or you were going to > > deprecate ENABLE_SUID_SSH? We still have it in make.conf(5), > > share/examples/etc/make.conf and ssh-keysign/Makefile. > > The whole point with ssh-keysign is to separate out the parts of ssh > that need a setuid bit. It should not be necessary for ssh to have a > setuid bit if ssh-keysign does, which is what ENABLE_SUID_SSH > controls these days. ssh-keysign doesn't yet handle SSH 1 keys, though, and a non-root ssh can't use UsePrivilegedPort which may be needed for RhostsRSAAuthentication with older servers. If you're only using SSH-2 keys, and you're only talking to new sshds, then no, you don't need ENABLE_SUID_SSH. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040820141827.GD8165>