bruceclosed-networks.com

• Next message: Kris Kennaway: "Re: IPFW + bridge fix."
• Previous message: Robert Watson: "Re: IPFW + bridge fix."
• In reply to: Andre Albsmeier: "Re: What will I lose if ssh is no more suid root?"
• Reply: Bruce M. Simpson: "Re: What will I lose if ssh is no more suid root?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andre,

On Fri, Aug 04, 2000 at 05:12:12PM +0200, Andre Albsmeier wrote:
> > Anyways, what it does give you is the ability to read the host key's private
> > part, and thus use RSAHostAuthentication, which is far more useful.
>
> Yes, I found this issue in the docs meanwhile...
>
> > If you don't need/want it though, running with the setuid bits off should not
> > give you too much of a problem.
>
> No, I am currently running without it and didn't have problems.

You're a very trusting man. ;> Seriously, isn't this a good candidate app for
a privilege API? i.e. give a privilege to the ssh client on the system to use
the host key for helping to identify itself to the remote peer.

Yet another example of the kind of thing which gets people implementing lots
of kludges using group numbers and kernel patches. Easily solved with
a privilege API.

Just my 2c.

-- 
Bruce M. Simpson [udp]         Digital Security Architect, Closed Networks
                                         www: www.closed-networks.com/~udp
London [gsm+wap]                                www.packetfactory.net/~udp
United Kingdom                     email+pgp:    bruceclosed-networks.com
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Kris Kennaway: "Re: IPFW + bridge fix."
• Previous message: Robert Watson: "Re: IPFW + bridge fix."
• In reply to: Andre Albsmeier: "Re: What will I lose if ssh is no more suid root?"
• Reply: Bruce M. Simpson: "Re: What will I lose if ssh is no more suid root?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]