[19120] in bugtraq
Re: Bug in ssh client (open ssh 2.3.0)
daemon@ATHENA.MIT.EDU (Tatu Ylonen)
Sat Feb 10 18:09:16 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Message-Id: <Pine.LNX.4.10.10102101344050.22997-100000@mystery.acr.fi>
Date: Sat, 10 Feb 2001 14:42:23 +0200
Reply-To: Tatu Ylonen <ylo@SSH.COM>
From: Tatu Ylonen <ylo@SSH.COM>
X-To: rafal wiosna <rafamiga@UUCP.POLBOX.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010209192136.S21723@orfika.office.polbox.pl>
Content-Transfer-Encoding: 8bit
> * Tomasz Kužniar wrote:
> > Ssh client is suid, so it could be real problem. Must check source...
>
> SUID is only needed when using rhosts or rshost-rsa authentication.
> Many installations don't need it. Just set this option [taken from man ssh]:
The SSH2 architecture has been designed so that the client does not need a
SUID bit at all. SSH2 has a small helper program, ssh-signer2, which does
the signing operation for host based authentication. This way, the amount
of code that needs to run SUID root is greatly minimized, reducing the
probability of security bugs related to it.
SSH2 also fixes fundamental security problems in the old SSH1 protocol.
SSH1 is DEPRECATED, and people are strongly encouraged to move to using
the SSH2 protocol.
The latest version of SSH2 is ssh-2.4.0, available from
ftp://ftp.ssh.com/pub/ssh. SSH2 is completely free for any use on Linux,
FreeBSD, NetBSD, and OpenBSD, as well as for use by universities and
charity organizations, and for personal hobby/recreational use by
individuals. (For commercial use, please see http://www.ssh.com/.)
Tatu
--
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
