Considering shipping ssh-keysign non-setuid
Marc Haber
mh+openssh-unix-dev at zugschlus.de
Sat May 16 03:40:42 AEST 2026
On Fri, May 15, 2026 at 07:53:33AM -0600, Theo de Raadt wrote:
>I'm pretty sure that would be a mistake.
>
>The problem is not ssh-keysign.
>
>It is a kernel bug.
>
>It affects any setuid program and it is my understanding that a typical
>Linux ships with almost a hundred of those.
Fully agreed. Would you disagree if I said that it's a good idea to
reduce the number of suid binaries in a deployed system? What would be
the consequences of making this mistake in Debian?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the openssh-unix-dev
mailing list