Considering shipping ssh-keysign non-setuid
Colin Watson
cjwatson at debian.org
Sat May 16 01:19:01 AEST 2026
On Fri, May 15, 2026 at 07:53:33AM -0600, Theo de Raadt wrote:
>I'm pretty sure that would be a mistake.
>
>The problem is not ssh-keysign.
>
>It is a kernel bug.
>
>It affects any setuid program and it is my understanding that a typical
>Linux ships with almost a hundred of those.
I'm aware of all that, yes. The kernel bugs aren't my area, but others
are certainly working on those. I'm obviously not suggesting that
changes to OpenSSH packaging would fix the vulnerability in question, as
they clearly wouldn't; it just prompted me to think about this.
Does that mean you consider it absolutely necessary to keep shipping a
setuid binary for a feature that I've seen OpenSSH developers describe
as "doesn't get used much [any] more"
(https://bugzilla.mindrot.org/show_bug.cgi?id=3615#c28)? That seems
surprising, since defence in depth is usually a thing ...
Thanks,
--
Colin Watson (he/him) [cjwatson at debian.org]
More information about the openssh-unix-dev
mailing list