From owner-freebsd-stable@FreeBSD.ORG Wed Oct 18 07:25:37 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6F7516A412; Wed, 18 Oct 2006 07:25:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2059043D5A; Wed, 18 Oct 2006 07:25:36 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (ividqf@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k9I7PSbU023475; Wed, 18 Oct 2006 09:25:34 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k9I7PSR7023474; Wed, 18 Oct 2006 09:25:28 +0200 (CEST) (envelope-from olli) Date: Wed, 18 Oct 2006 09:25:28 +0200 (CEST) Message-Id: <200610180725.k9I7PSR7023474@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, des@FreeBSD.ORG, ru@FreeBSD.ORG In-Reply-To: <20061017160351.GA72123@rambler-co.ru> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 18 Oct 2006 09:25:34 +0200 (CEST) Cc: Subject: Re: ENABLE_SUID_SSH in make.conf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 07:25:38 -0000 Ruslan Ermilov wrote: > Albert Chin wrote: > > According to make.conf(5): > > ENABLE_SUID_SSH > > (bool) Set this to install ssh(1) with the > > set-user-ID bit turned on. > > > > However, I think ENABLE_SUID_SSH only sets the suid bit for > > /usr/libexec/ssh-keysign. That name exists for historical reasons. Some time ago it was ssh(1) itself which got the suid bit in order to be able to read the private host key (which is readable by root only). Access to that key is required for host-based authentication (disabled by default). Hence the variable named ENABLE_SSH_SUID. But then the OpenSSH folks decided that it is preferable not to make ssh(1) suid root. They created a small tool to access the private host key, and made only that tool setuid root. That's ssh-keysign(8). However, the name of the variable wasn't changed, so hostbased authentication didn't break for those people who enabled it. > > Why isn't /usr/libexec/ssh-keysign suid by default anyway? It's > > pointless without it. > > Good question. Let's see what our maintainer has to say about it. > My feeling as well is that the option should just be removed. Personally I have never used ssh-keysign, because I think that host-based authentication (which is the only thing that requires ssh-keysign to be suid-root) is too insecure. I guess most people don't even know that it exists. :-) Since I prefer not to have any superfluous suid binaries on my system, I'm quite happy with the default of ssh-keysign not being suid-root. Note that host-based authentication is disabled by default anyway (for good reason), so it doesn't really make sense to make ssh-keysign suid-root by default. For the reasons outlined above, I recommend not to change anything at all, except correcting the documentation in make.conf(5) and in /usr/share/examples/etc/make.conf, like this: ENABLE_SUID_SSH (bool) Set this to install ssh-keysign(8) with the set-user-ID bit turned on. This is only required for hostbased authentication which is disabled by default. See the description of the ~/.rhosts and /etc/hosts.equiv files in sshd(8) for details. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "The ITU has offered the IETF formal alignment with its corresponding technology, Penguins, but that won't fly." -- RFC 2549