From owner-freebsd-current@FreeBSD.ORG  Fri Aug 20 14:18:31 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A698916A4CE
	for <freebsd-current@freebsd.org>;
	Fri, 20 Aug 2004 14:18:31 +0000 (GMT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5A99B43D45
	for <freebsd-current@freebsd.org>;
	Fri, 20 Aug 2004 14:18:31 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.11/8.12.11) id i7KEIRcu016971;
	Fri, 20 Aug 2004 09:18:28 -0500 (CDT)
	(envelope-from dan)
Date: Fri, 20 Aug 2004 09:18:27 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Dag-Erling Smorgrav <des@des.no>
Message-ID: <20040820141827.GD8165@dan.emsphone.com>
References: <200408131332.09164.ilkerozupak@yahoo.com>
	<20040813104934.GL87690@submonkey.net>
	<200408131436.12750.ilkerozupak@yahoo.com>
	<20040813153607.GF4198@dan.emsphone.com>
	<20040820114001.R28976@mp2.macomnet.net> <xzpy8ka3yco.fsf@dwp.des.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <xzpy8ka3yco.fsf@dwp.des.no>
X-OS: FreeBSD 5.2-CURRENT
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.6i
cc: Ceri Davies <ceri@submonkey.net>
cc: Ilker Ozupak <ilkerozupak@yahoo.com>
cc: freebsd-current@freebsd.org
Subject: Re: suid bit sshd
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2004 14:18:31 -0000

In the last episode (Aug 20), Dag-Erling Smorgrav said:
> Maxim Konovalov <maxim@macomnet.ru> writes:
> > DES, is it OK to commit a following patch?  Or you were going to
> > deprecate ENABLE_SUID_SSH?  We still have it in make.conf(5),
> > share/examples/etc/make.conf and ssh-keysign/Makefile.
> 
> The whole point with ssh-keysign is to separate out the parts of ssh
> that need a setuid bit.  It should not be necessary for ssh to have a
> setuid bit if ssh-keysign does, which is what ENABLE_SUID_SSH
> controls these days.

ssh-keysign doesn't yet handle SSH 1 keys, though, and a non-root ssh
can't use UsePrivilegedPort which may be needed for
RhostsRSAAuthentication with older servers.  If you're only using SSH-2
keys, and you're only talking to new sshds, then no, you don't need
ENABLE_SUID_SSH.

-- 
	Dan Nelson
	dnelson@allantgroup.com