tech-security: Re: setuid ssh

Subject: Re: setuid ssh
To: None <sommerfeld@orchard.arlington.ma.us>
From: Atsushi Onoe <onoe@sm.sony.co.jp>
List: tech-security
Date: 10/18/2000 22:26:21

  by mail.netbsd.org with SMTP; 18 Oct 2000 13:26:59 -0000
Date: Wed, 18 Oct 2000 22:26:21 +0900 (JST)
From: Atsushi Onoe <onoe@sm.sony.co.jp>
Message-Id: <200010181326.e9IDQLv03069@duplo.sm.sony.co.jp>
To: sommerfeld@orchard.arlington.ma.us
Cc: atatat@atatdot.net, cjs@cynic.net,
        hubert.feyrer@informatik.fh-regensburg.de, tech-security@netbsd.org
Subject: Re: setuid ssh 
In-Reply-To: Your message of "Wed, 18 Oct 2000 09:11:23 -0400"
	<20001018131128.9F5132A2A@orchard.arlington.ma.us>
References: <20001018131128.9F5132A2A@orchard.arlington.ma.us>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii

> .rhosts and .rhosts/rsa must die.

I think .rhosts/rsa configuration may still be suitable for some
enviroment; e.g. remote backup from cron.  Perhaps you want to set
IgnoreUserKnownHosts.

I'm afraid that disabling all authentication other than user's RSA
causes proliferation of ssh-agent, which looks more halmful than
rhosts/rsa authentication.

Atsushi Onoe