From owner-freebsd-arch Sat Sep 2 13:16:44 2000 Delivered-To: freebsd-arch@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id BFC7337B423; Sat, 2 Sep 2000 13:16:42 -0700 (PDT) Received: (from dan@localhost) by dan.emsphone.com (8.9.3/8.9.3) id PAA08128; Sat, 2 Sep 2000 15:14:07 -0500 (CDT) (envelope-from dan) Date: Sat, 2 Sep 2000 15:14:07 -0500 From: Dan Nelson To: "Jacques A. Vidrine" Cc: sthaug@nethelp.no, phk@critter.freebsd.dk, ume@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: setuid ssh should die (Re: Request for review: nsswitch) Message-ID: <20000902151406.A7615@dan.emsphone.com> References: <41582.967924374@critter> <62717.967924513@verdi.nethelp.no> <20000902145822.B28852@dan.emsphone.com> <20000902150221.A1263@hamlet.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.3.8i In-Reply-To: <20000902150221.A1263@hamlet.nectar.com>; from "Jacques A. Vidrine" on Sat Sep 2 15:02:21 GMT 2000 X-OS: FreeBSD 5.0-CURRENT Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In the last episode (Sep 02), Jacques A. Vidrine said: > On Sat, Sep 02, 2000 at 02:58:22PM -0500, Dan Nelson wrote: > > Rather, it's so it can read the host key, which is only readable by > > root. > > We're talking about ssh, not sshd. (assume we're connecting from pc1 to pc2 ) Right; if ssh is not setuid, it doesn't have access to pc1's private host key, so the sshd on pc2 cannot verify pc1's identity. That means sshd can't use .shosts. See the ssh/sshd manpage, under "RhostsRSAAuthentication". -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message