apparent ssh_config fascism

Phillip Brown P.Brown at
Mon Nov 18 23:39:05 EST 2002

After reading the man page for ssh-keysign, some admins might be unaware
that root can use Hostbased authentication by only having a setting
in .ssh/config without having to think about the ramifications of going
down the /etc/ssh/ssh_config route.  Maybe man ssh-keysign should be 
fleshed out a little to make the exception absolutely clear.

The fact that Hostbased authentication needs to be enabled in
/etc/ssh/ssh_config to make the method available to users other than
root, even when ssh-keysign is suid root, suggests that it should be a
decision the administrator should not take lightly - and hence that such
ramifications do exist.  Perhaps there are scenarios of abuse or am I
reading to much into this?

More information about the openssh-unix-dev mailing list