Date: Wed, 18 Oct 2006 09:35:54 +0100 From: David Malone <dwmalone@maths.tcd.ie> To: Oliver Fromme <olli@lurza.secnetix.de> Cc: ru@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, des@FreeBSD.ORG Subject: Re: ENABLE_SUID_SSH in make.conf Message-ID: <20061018083554.GA16465@walton.maths.tcd.ie> In-Reply-To: <200610180725.k9I7PSR7023474@lurza.secnetix.de> References: <20061017160351.GA72123@rambler-co.ru> <200610180725.k9I7PSR7023474@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 18, 2006 at 09:25:28AM +0200, Oliver Fromme wrote: > That name exists for historical reasons. Some time ago it > was ssh(1) itself which got the suid bit in order to be > able to read the private host key (which is readable by > root only). Access to that key is required for host-based > authentication (disabled by default). Hence the variable > named ENABLE_SSH_SUID. There is another reason for wanting this. If you still use the ssh1 RSARhosts authentication mechanism, then it needs ssh to be suid root because using a priveleged port is part of the authentication mechanism (combined with signing using the host key). This has been more or less replaced by the ssh-keysign stuff, but I guess some people may still be depending on it. David.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061018083554.GA16465>