by mail.netbsd.org with SMTP; 20 Oct 2000 18:35:02 -0000
	by noc.untraceable.net (8.11.1/8.11.1/bonk!) id e9KIYuK04784;
	Fri, 20 Oct 2000 14:34:56 -0400 (EDT)
Date: Fri, 20 Oct 2000 14:34:56 -0400
From: Andrew Brown <atatat@atatdot.net>
To: "Greg A. Woods" <woods@weird.com>
Cc: Curt Sampson <cjs@cynic.net>, tech-security@netbsd.org,
   Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>,
   Manuel Bouyer <bouyer@antioche.lip6.fr>, Jason R Thorpe <thorpej@zembu.com>
Subject: Re: setuid ssh
Message-ID: <20001020143456.A4739@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <20001018135225.A7705@antioche.lip6.fr> <Pine.NEB.4.21.0010181440492.6544-100000@agnostic.union.cynic.net> <20001020182702.E976D4@proven.weird.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001020182702.E976D4@proven.weird.com>; from woods@weird.com on Fri, Oct 20, 2000 at 02:27:02PM -0400
Return-Receipt-To: receipts@daemon.org

>There's still ample room for debate on whether or not SUID SSH is in
>fact ``insecure'' in any way (except in some site-specific
>configurations where the lack of ultimate security is not really SSH's
>fault but rather the fault of the way that site's infrastructure has
>been designed and implemented).

well...what does it *need* to be suid for?  is there anything besides
the privileged port and the host key that it requires root privs for?
or is that it?

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."