by mail.netbsd.org with SMTP; 18 Oct 2000 13:49:02 -0000
	by noc.untraceable.net (8.11.1/8.11.1/bonk!) id e9IDmtB29685;
	Wed, 18 Oct 2000 09:48:55 -0400 (EDT)
Date: Wed, 18 Oct 2000 09:48:55 -0400
From: Andrew Brown <atatat@atatdot.net>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: Atsushi Onoe <onoe@sm.sony.co.jp>, sommerfeld@orchard.arlington.ma.us,
   cjs@cynic.net, hubert.feyrer@informatik.fh-regensburg.de,
   tech-security@netbsd.org
Subject: Re: setuid ssh
Message-ID: <20001018094855.B29595@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <20001018093550.A29522@noc.untraceable.net> <200010181346.e9IDk4g73988@cwsys.cwsent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200010181346.e9IDk4g73988@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Wed, Oct 18, 2000 at 06:45:17AM -0700
Return-Receipt-To: receipts@daemon.org

>> >> .rhosts and .rhosts/rsa must die.
>> >
>> >I think .rhosts/rsa configuration may still be suitable for some
>> >enviroment; e.g. remote backup from cron.  Perhaps you want to set
>> >IgnoreUserKnownHosts.
>> 
>> rhosts/rsa with a passphrased key seems *better* to me than plain rsa
>> alone.  or am i completly misunderstanding it?
>
>That's how I understand it.

i was slightly mistaken.  the key involved in rhosts/rsa is *not*
passphrased, but rather, it is the *host* key instead of a user's key.

it's another requirement for ssh to be suid (so it can read the host's
private key), and it only securely authenticates the host, not the
user.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."