Re: OpenSSH: hardening hostkeys permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> said:
> Drafted here, to be published:
> https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit

I guess the original idea was to reduce the setuid footprint (which is a
good goal).  I though host-based auth was deprecated at this point
anyway - it's not enabled by default, right?

Just a thought: if "reduce setuid-root binaries installed by default" is
a goal, what about splitting ssh-keysign off into a subpackage, like
openssh-hostauth, that's not installed by default?  That could
optionally even include a ssh_config.d drop-in that would enable it
(although that may not be desired, since even using host-based auth may
not be desired gloablly).

You already have to take some action to enable host-based auth, so I
wouldn't see this as a big step.
-- 
Chris Adams <linux@xxxxxxxxxxx>
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux