Bug 26832

On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote:
> 
> >Number:         26832
> >Category:       bin
> >Synopsis:       ssh cannot login without password when using ~/.shosts
> >Originator:     Masachika ISHIZUKA
> >Environment:
> System: FreeBSD cima.nw.xephion.ne.jp 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Wed Apr 25 11:30:19 JST 2001 root@:/usr/src/sys/compile/cima i386
> >Description:
> 	ssh cannot login without password when using ~/.shosts
> >How-To-Repeat:
> 	
> >Fix:
> 	chmod u+s /usr/bin/ssh

Mmmm..  I would rather think the correct fix is putting:
ENABLE_SETUID_SSH=true

in your /etc/make.conf, as documented in /etc/defaults/make.conf.

G'luck,
Peter

-- 
What would this sentence be like if it weren't self-referential?

> On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote:
>
>>>Number:         26832
>>>Category:       bin
>>>Synopsis:       ssh cannot login without password when using ~/.shosts
>>>Originator:     Masachika ISHIZUKA
>>>Fix:
>> 	chmod u+s /usr/bin/ssh
> 
> Mmmm..  I would rather think the correct fix is putting:
> ENABLE_SETUID_SSH=true
> 
> in your /etc/make.conf, as documented in /etc/defaults/make.conf.

  Dear, Peter-san.
  Thank you for reply.
  It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf
and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh
&& make && make install", but do all users to use .shosts install
ssh source code, and why is the suid bit of ssh removed from 4.2R to
4.3R ?  Any security reasons ?

-- 
ishizuka@ish.org

On Wed, Apr 25, 2001 at 06:29:53PM +0900, Masachika ISHIZUKA wrote:
> > On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote:
> >
> >>>Number:         26832
> >>>Category:       bin
> >>>Synopsis:       ssh cannot login without password when using ~/.shosts
> >>>Originator:     Masachika ISHIZUKA
> >>>Fix:
> >> 	chmod u+s /usr/bin/ssh
> > 
> > Mmmm..  I would rather think the correct fix is putting:
> > ENABLE_SETUID_SSH=true
> > 
> > in your /etc/make.conf, as documented in /etc/defaults/make.conf.
> 
>   Dear, Peter-san.
>   Thank you for reply.
>   It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf
> and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh
> && make && make install", but do all users to use .shosts install
> ssh source code, and why is the suid bit of ssh removed from 4.2R to
> 4.3R ?  Any security reasons ?

Yes, for existing installations, the SSH client binary has to be chmod'd
by hand.  And yes, there were security reasons for removing the setuid
bit on the SSH client - there was at least one known vulnerability, which
could be used for subverting the SSH client, and there is no guarantee
that more such vulnerabilities won't creep up in the future.  Since it is
quite rare that people are using rhosts/shosts based authentication,
the majority of FreeBSD installations do not need a setuid SSH client.
For those that do, there is the 'chmod by hand' workaround for an existing
installation, and the /etc/make.conf knob for rebuilding.

I apologize for my somewhat summary and not quite thought-out reply;
the case of new installations which are not rebuilt totally slipped my mind.

As a side point, rhosts/shosts-based authentication could be replaced
with something else which does not require a setuid client - e.g. with
public-key authentication (it is quite trivial to generate a public key
with an empty password).  This could have other issues - the keys should
be placed on all machines, the secret portion of the key should be placed
on all machines from which you need to log in (this could mean placing
secret keys on NFS-exported homedirs.. ugh).. but in some cases, public-key
based authentication is a better solution.

G'luck,
Peter

-- 
This sentence claims to be an Epimenides paradox, but it is lying.

>>>>>Number:         26832
>>>>>Category:       bin
>>>>>Synopsis:       ssh cannot login without password when using ~/.shosts
>>>>>Originator:     Masachika ISHIZUKA
>>>>>Fix:
>>>> 	chmod u+s /usr/bin/ssh
>> 
>>   It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf
>> and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh
>> && make && make install", but do all users to use .shosts install
>> ssh source code, and why is the suid bit of ssh removed from 4.2R to
>> 4.3R ?  Any security reasons ?
> 
> Yes, for existing installations, the SSH client binary has to be chmod'd
> by hand.  And yes, there were security reasons for removing the setuid
> bit on the SSH client - there was at least one known vulnerability, which
> could be used for subverting the SSH client, and there is no guarantee
> that more such vulnerabilities won't creep up in the future.  Since it is
> quite rare that people are using rhosts/shosts based authentication,
> the majority of FreeBSD installations do not need a setuid SSH client.
> For those that do, there is the 'chmod by hand' workaround for an existing
> installation, and the /etc/make.conf knob for rebuilding.
> 
> I apologize for my somewhat summary and not quite thought-out reply;
> the case of new installations which are not rebuilt totally slipped my mind.
> 
> As a side point, rhosts/shosts-based authentication could be replaced
> with something else which does not require a setuid client - e.g. with
> public-key authentication (it is quite trivial to generate a public key
> with an empty password).  This could have other issues - the keys should
> be placed on all machines, the secret portion of the key should be placed
> on all machines from which you need to log in (this could mean placing
> secret keys on NFS-exported homedirs.. ugh).. but in some cases, public-key
> based authentication is a better solution.

  Dear, Peter-san

  Thank you very much for mail.
  I understood and agree with you that the public-key based
authentication is better.  We managed more than 200 machines
and it is too hard to replace authentication method soon.
  We will try to introduce public-key based authentication.
-- 
ishizuka@ish.org

Comment 5 dd 2001-04-29 03:08:48 UTC

State Changed
From-To: open->closed

Originator has been introduced to ENABLE_SETUID_SSH