the setgid programs are potentially less dangerous than setuid ones. the only setuid program in the openssh suite is ssh-keysign. It need to access private server keys. The solution is to create one dedicated group (ssh_keys). The keys then should be rw-r---- root:ssh_keys The ssh-keysign should be setgid ssh_keys And finally authfile.c should be patched to accept such keys.
Created attachment 2035 [details] patch solving the problem
So how is this supposed to work in practice? Change everyone's home directory to be mode 0710 group ssh_keys? Why is the "ssh_keys" group hard-coded in authfile.c?
No, home directories no not need change. Only change is on the server private keys. The hard-coded server keys are for the security reasons.
I don't think there is much point to getting rid of the setuid bit on ssh-keysign. There are only 12 lines of code executed before dropping privileges and these are clearly quite safe.
close resolved bugs now that openssh-5.9 has been released
I am confused why this bug is closed WONTFIX, as the ssh_keys group appears to have made its way into recent Fedora.