by mail.netbsd.org with SMTP; 18 Oct 2000 13:54:34 -0000
	id C15B42A2A; Wed, 18 Oct 2000 09:54:33 -0400 (EDT)
	by orchard.arlington.ma.us (Postfix) with ESMTP
	id AD7461FCD; Wed, 18 Oct 2000 09:54:33 -0400 (EDT)
To: Andrew Brown <atatat@atatdot.net>
Cc: Atsushi Onoe <onoe@sm.sony.co.jp>, cjs@cynic.net,
	hubert.feyrer@informatik.fh-regensburg.de, tech-security@netbsd.org
Subject: Re: setuid ssh 
In-Reply-To: Message from Andrew Brown <atatat@atatdot.net> 
   of "Wed, 18 Oct 2000 09:47:11 EDT." <20001018094711.A29595@noc.untraceable.net> 
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Wed, 18 Oct 2000 09:54:28 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Message-Id: <20001018135433.C15B42A2A@orchard.arlington.ma.us>

> as long as you don't copy that key anywhere.  

If I copy the host key, .rhosts/rsa has the same problem.

if ~backup/.ssh/identity and /etc/ssh_host_key are (effectively)
protected the same, all bets are off.

(surely you don't actually believe that an attacker can't quietly
usurp the host's ip address ..)


					- Bill