Re: enable EnableSSHKeysign by default?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Sun, 7 Jun 2020 at 03:57, Harald Dunkel <harald.dunkel@xxxxxxxxxx> wrote:
> I wonder why EnableSSHKeysign is disabled by default. Does it hurt
> somehow?

It enables the ssh-keysign helper which is setuid root but unneeded by
the vast majority of users.  Disabling it by default is a risk
mitigation strategy: if there's ever a bug in it or it can be
otherwise abused then it's likely that the majority of installations
will not be impacted.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux