f



/usr/bin/ssh and setuid root

Hi,
is it a security problem to set a client ssh-binary to setuid root (4755) ?
If i don't set the 4-bit i get no hostbased access to my sshd-server.
Thanx, Markus

0
7/4/2003 4:59:21 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

2 Replies
735 Views

Similar Articles

[PageSpeed] 42

>>>>> "MZ" == Markus Zimmermann <Markus.Zimmermann@hz-bau.de> writes:

    MZ> Hi, is it a security problem to set a client ssh-binary to setuid
    MZ> root (4755) ?  If i don't set the 4-bit i get no hostbased access
    MZ> to my sshd-server.  Thanx, Markus

You did not say what SSH software you're using, versions, etc.

The setuid mechanism is a necessity, but always a concern since it
exacerbates any existing software bugs by allowing privilege escalation.

The setuid bit is needed because the SSH client needs access to the client
host key in order to certify your identity to the server.  Two things:

1) Recent versions of OpenSSH and ssh.com software factor this signing
   operation into a separate program (ssh-signer/ssh-keysign), which must
   be setuid.  This is better because hopefully, the smaller
   single-purpose program will be less likely to have or develop problems
   which can be exploited.

2) In any case, there's no need for it to be setuid *root*.  The default
   install does this, but it's a bad idea.  Use a different, unprivilged
   uid to gate read access to the private host key.

-- 
  Richard Silverman
  res@qoxp.net

0
res49 (1410)
7/5/2003 3:28:25 AM
In article <m2n0ftejom.fsf@darwin.oankali.net>,
Richard E Silverman  <res@qoxp.net> wrote:
>>>>>> "MZ" == Markus Zimmermann <Markus.Zimmermann@hz-bau.de> writes:
>    MZ> Hi, is it a security problem to set a client ssh-binary to setuid
>    MZ> root (4755) ?  If i don't set the 4-bit i get no hostbased access
>    MZ> to my sshd-server.  Thanx, Markus
>
>You did not say what SSH software you're using, versions, etc.
>
>The setuid mechanism is a necessity, but always a concern since it
>exacerbates any existing software bugs by allowing privilege escalation.

Agreed.

>The setuid bit is needed because the SSH client needs access to the client
>host key in order to certify your identity to the server

.... and to bind() to a low-numbered port for Hostbased or RhostRSA 
authentications.

If your server checks the source port, and your client OS restricts the
the use of low-numbered ports then you need the appropriate privileges,
which may mean having the binary setuid root or some other mechanism
(eg Capabilities).

I guess you could have a setuid helper do this but I'm not aware of any
ssh clients that do it that way.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
0
dtucker (551)
7/5/2003 7:01:59 AM
Reply: