/usr/bin/ssh and setuid root
Hi, is it a security problem to set a client ssh-binary to setuid root (4755) ? If i don't set the 4-bit i get no hostbased access to my sshd-server. Thanx, Markus
Markus.Zimmermann1
comp.security.ssh
4228 articles. 
0 followers.
terra1024
2 Replies
735 Views
Similar Articles
>>>>> "MZ" == Markus Zimmermann <Markus.Zimmermann@hz-bau.de> writes:
MZ> Hi, is it a security problem to set a client ssh-binary to setuid
MZ> root (4755) ? If i don't set the 4-bit i get no hostbased access
MZ> to my sshd-server. Thanx, Markus
You did not say what SSH software you're using, versions, etc.
The setuid mechanism is a necessity, but always a concern since it
exacerbates any existing software bugs by allowing privilege escalation.
The setuid bit is needed because the SSH client needs access to the client
host key in order to certify your identity to the server. Two things:
1) Recent versions of OpenSSH and ssh.com software factor this signing
operation into a separate program (ssh-signer/ssh-keysign), which must
be setuid. This is better because hopefully, the smaller
single-purpose program will be less likely to have or develop problems
which can be exploited.
2) In any case, there's no need for it to be setuid *root*. The default
install does this, but it's a bad idea. Use a different, unprivilged
uid to gate read access to the private host key.
--
Richard Silverman
res@qoxp.net
res49In article <m2n0ftejom.fsf@darwin.oankali.net>,
Richard E Silverman <res@qoxp.net> wrote:
>>>>>> "MZ" == Markus Zimmermann <Markus.Zimmermann@hz-bau.de> writes:
> MZ> Hi, is it a security problem to set a client ssh-binary to setuid
> MZ> root (4755) ? If i don't set the 4-bit i get no hostbased access
> MZ> to my sshd-server. Thanx, Markus
>
>You did not say what SSH software you're using, versions, etc.
>
>The setuid mechanism is a necessity, but always a concern since it
>exacerbates any existing software bugs by allowing privilege escalation.
Agreed.
>The setuid bit is needed because the SSH client needs access to the client
>host key in order to certify your identity to the server
.... and to bind() to a low-numbered port for Hostbased or RhostRSA
authentications.
If your server checks the source port, and your client OS restricts the
the use of low-numbered ports then you need the appropriate privileges,
which may mean having the binary setuid root or some other mechanism
(eg Capabilities).
I guess you could have a setuid helper do this but I'm not aware of any
ssh clients that do it that way.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
dtucker