On 1033233645 seconds since the Beginning of the UNIX epoch
William Allen Simpson wrote:
>
>Roland Dowdeswell wrote:
>> 
>> Yes, it appears that the documentation does not match the src.
>> I've just submitted a PR to resolve this issue.  And checked in a
>> fix to the man page into current.  I'll request that the documentation
>> change be pulled up to the release branches.  This will at least
>> take care of the documentation issues.
>> 
>Well, that was quick -- although I just looked for the PR, and cannot 
>find it.  Does it take awhile to appear online?

Well, the PR only covered the wrong documentation so I fixed the
documentation and closed it immediately.  It is bin/18445.  I think
that the web interface syncs to the main bug database and is often
a few hours behind.  The email did go out immediately to the bugs
mailing list, though.

>> Whether this is the correct setting is another discussion of course.
>> The rational behind the decision is to make the behaviour of sshd
>> consistent with the rest of the system which does not allow root
>> to log in w/ a passwd from anything but the console.
>> 
>> I would certainly go as far as to suggest that for actual consistency,
>> we should make the setting ``without-password'' rather than ``no'',
>> because via krb5 for example, you can log in as root over telnetd
>> on an insecure tty.  Granted though, that in that case I'd be coming
>> in as elric/root@IMRRYR.ORG and so there's more of an audit trail.
>
>Better yet, make ssh like kerberos, since ssh is arguably simpler and more 
>secure.  It would sure save a lot of headaches.  

Hmmm, ssh and kerberos are really orthogonal concepts.  ssh is a
mostly transport layer and kerberos 5 is an authentication framework.
ssh allows one to use other authentication systems such as UNIX
passwords, S/Key or kerberos.  And ssh also includes its own tiny
authentication framework, namely RSAAuthentication.

I use kerberos authentication on my ssh sessions, e.g.  They are
at different layers of abstraction, so I don't think that one can
argue that ssh is simpler and more secure---they just do different
things and can even be used in conjunction.

>How are these decisions made?  Which list?  By whom?

The mail that mentioned this change is:

	http://archives.neohapsis.com/archives/netbsd/2001-q3/0154.html

and the thread was the resulting discussion.

>Yes, and add caveats to INSTALL (Post installation steps 2 and/or 3), 
>where it talks about using root without a password, and setting up 
>user accounts. 

That's a good idea.  I'll change the text in there to indicate the
steps that need to performed currently to become root from insecure
ttys.

>(It is pretty amazing to me that on the one hand, recent changes allow 
>root without a password; while on the other, recent changes restrict 
>ssh from accessing root.)

I'm not sure which changes you are talking about, it has always
been possible to set up root without a password hasn't it?

>And, in "Initialization and Services Control", a mention about needing to 
>configure users before adding sshd to rc.config would be helpful, since 
>all of the examples are with root, but you cannot actually execute them 
>via ssh.  Presumably, they all need to be re-written with su.
>
>Also, in "Tracking NetBSD -current", although it does mention fixing 
>permissions in setting up step 6, there's no discussion how this works 
>from a non-root account in the first place. 

You have to be root to do the chown.  If you cvs checkout from a
non-root account, then you just own all the files to begin with.

>Similar problems in Guide "Chapter 18. Obtaining sources by CVS".
>
>There are a lot of "unintended consequences" to making a decision like 
>this new ssh restriction....

I don't see how this issue affects CVS?

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/