Date: Sat, 2 Sep 2000 15:57:01 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: Neil Blakey-Milner <nbm@mithrandr.moria.org> Cc: Dan Nelson <dnelson@emsphone.com>, sthaug@nethelp.no, phk@critter.freebsd.dk, ume@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: setuid ssh should die (Re: Request for review: nsswitch) Message-ID: <20000902155701.C1263@hamlet.nectar.com> In-Reply-To: <20000902221424.A39558@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Sat, Sep 02, 2000 at 10:14:24PM %2B0200 References: <41582.967924374@critter> <62717.967924513@verdi.nethelp.no> <20000902145822.B28852@dan.emsphone.com> <20000902150221.A1263@hamlet.nectar.com> <20000902221424.A39558@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 02, 2000 at 10:14:24PM +0200, Neil Blakey-Milner wrote:
> So was he. He is talking RhostsRSAAuthentication. I think we needn't
> worry about it, and we should default to non-suid, with a comment in the
> configuration stating that RhostsRSAAuthentication requires suid-root on
> the ssh binary on the client side.
Agreed.
It may make sense to have ssh warn if it is not setuid, and this option
has been requested, e.g.
@@ -546,6 +546,10 @@
}
/* Disable rhosts authentication if not running as root. */
if (original_effective_uid != 0 || !options.use_privileged_port) {
+ if (options.rhosts_authentication ||
+ options.rhosts_rsa_authentication)
+ log("Warning: rhosts disabled - "
+ "insufficient privileges");
options.rhosts_authentication = 0;
options.rhosts_rsa_authentication = 0;
}
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000902155701.C1263>