RSARhosts / Hostbased auth and euid=0 requirement

[Carson Gaspar]

I'm not happy with ssh being setuid root. I know that the long-term goal is 
to have a seperate host-key-management process, but that is a ways off.

Until then, I'd like to propose the following:

- Allow ssh to read alternate key files.

This would allow the ssh client to use keyfiles different from the ones 
sshd uses. I know that this can be done now by changing the ones sshd uses, 
but I'd rather make ssh the special case.

- Allow said key files to be group readable

Changing authfile.c:key_perm_ok() to allow group readable keys would allow 
us to make ssh setgid instead of setuid. Yes, this is insecure if someone 
is stupid enough to export their key files via NFS or some other such 
sillyness, but is safe for sane admins.

If we do both of the above, ssh can be setgid ssh, and optionally use 
different keys for client and server identification. Host-based auth now 
works without a root-priveledged client. Damage from a security issue in 
ssh is limited to spoofing a trusted host, instead of total system 
compromise.

I'm happy to write the code changes, but wanted to run this up the flagpole 
first to see if there was strong resistance.

-- 
Carson