Once upon a time, Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> said: > Drafted here, to be published: > https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit I guess the original idea was to reduce the setuid footprint (which is a good goal). I though host-based auth was deprecated at this point anyway - it's not enabled by default, right? Just a thought: if "reduce setuid-root binaries installed by default" is a goal, what about splitting ssh-keysign off into a subpackage, like openssh-hostauth, that's not installed by default? That could optionally even include a ssh_config.d drop-in that would enable it (although that may not be desired, since even using host-based auth may not be desired gloablly). You already have to take some action to enable host-based auth, so I wouldn't see this as a big step. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue