Subject: Re: ssh suid root
To: None <>
From: Ari Gordon-Schlosberg <>
List: netbsd-users
Date: 02/07/2001 09:02:02
> why ssh client is suid root by default?
> without suid it works good, but when run as suid remote ident question
> gets root.wheel instead of username
[By the way, you might want to set your clock]

The reason that ssh runs as root is so that it can bind to a privileged
port.  This is necessary for RhostsAuthentication and

From the ssh man page:

         Specifies whether to try rhosts based authentication.  Note that
         this declaration only affects the client side and has no effect
         whatsoever on security.  Disabling rhosts authentication may re-
         duce authentication time on slow connections when rhosts authen-
         tication is not used.  Most servers do not permit RhostsAuthenti-
         cation because it is not secure (see RhostsRSAAuthentication).
         The argument to this keyword must be ``yes'' or ``no''.

         Specifies whether to try rhosts based authentication with RSA
         host authentication.  This is the primary authentication method
         for most sites.  The argument must be ``yes'' or ``no''.


         Specifies whether to use a privileged port for outgoing connec-
         tions.  The argument must be ``yes'' or ``no''. The default is
         ``yes''. Note that setting this option to ``no'' turns off
         RhostsAuthentication and RhostsRSAAuthentication.

And from the OpenSSH FAQ:

2.Why is the ssh client setuid root? 

       The ssh client need to bind to a low-numbered port for rhosts
       and rhosts-rsa authentication. You can safely remove the
       setuid bit from the ssh executable if you don't want to use
       these authentication methods.

In the future, a little reading and searching (like I just did), should
find you answers like this.

Ari							there is no spoon
------------------------------------------------------------------------- for PGP public key