Bug 1893

Summary: change ssh-keysign to setgid from setuid
Product: Portable OpenSSH Reporter: jchadima
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm, ezyang, jchadima, jfch, jmknoble
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch solving the problem none

Description jchadima 2011-04-22 07:16:05 AEST 
the setgid programs are potentially less dangerous than setuid ones.

the only setuid program in the openssh suite is ssh-keysign. It need to access private server keys.

The solution is to create one dedicated group (ssh_keys).
The keys then should be rw-r---- root:ssh_keys
The ssh-keysign should be setgid ssh_keys
And finally authfile.c should be patched to accept such keys.
Comment 1 jchadima 2011-04-22 07:17:21 AEST 
Created attachment 2035 [details]
patch solving the problem
Comment 2 Jim Knoble 2011-04-22 08:20:51 AEST 
So how is this supposed to work in practice?  Change everyone's home directory to be mode 0710 group ssh_keys?

Why is the "ssh_keys" group hard-coded in authfile.c?
Comment 3 jchadima 2011-04-22 14:49:49 AEST 
No, home directories no not need change.
Only change is on the server private keys.

The hard-coded server keys are for the security reasons.
Comment 4 Damien Miller 2011-06-03 10:41:24 AEST 
I don't think there is much point to getting rid of the setuid bit on ssh-keysign. There are only 12 lines of code executed before dropping privileges and these are clearly quite safe.
Comment 5 Damien Miller 2011-09-06 15:33:02 AEST 
close resolved bugs now that openssh-5.9 has been released
Comment 6 Edward Z. Yang 2012-05-29 05:18:25 AEST 
I am confused why this bug is closed WONTFIX, as the ssh_keys group appears to have made its way into recent Fedora.