RSARhosts / Hostbased auth and euid=0 requirement
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Wed May 9 07:43:23 EST 2001
On Fri, May 04, 2001 at 02:18:10AM -0700, Carson Gaspar wrote:
> - Allow ssh to read alternate key files.
i'm not sure about this one.
you want to force ssh to read arbitraty key files
and produce valid signatures with random files.
> - Allow said key files to be group readable
we've been discussion a setgid ssh earlier, but
decided that it's not the way to go.
however, i think about moving the client side of
hostbased authentication out of ssh, to a setuid binary
/usr/libexec/ssh-keysign
and remove the sbit from ssh.
ssh-keysign will read the hostkeys and generate a valid
signature.
this won't work for rhosts-rsa, but there is no need
to use rhosts-rsa if hostbased authentication works.
if you really need to support protocol 1 with rhosts-rsa,
you can turn on the sbit again for ssh.
-m
More information about the openssh-unix-dev
mailing list