Subject: Re: setuid ssh
To: matthew green <mrg@eterna.com.au>
From: Dan Riley <dsr@mail.lns.cornell.edu>
List: tech-security
Date: 10/19/2000 12:03:39 
  by mail.netbsd.org with SMTP; 19 Oct 2000 16:04:35 -0000
	by lnscu5.lns.cornell.edu (8.10.0/8.10.1) with ESMTP id e9JG3nk11569;
	Thu, 19 Oct 2000 12:03:49 -0400 (EDT)
	id MAA0000028507; Thu, 19 Oct 2000 12:03:40 -0400 (EDT)
To: matthew green <mrg@eterna.com.au>, thorpej@zembu.com, cjs@cynic.net,
       tech-security@netbsd.org
Subject: Re: setuid ssh
References: <20001018080504.A290@dr-evil.shagadelic.org> <28588.971932756@eterna.com.au> <20001019013348.A7840@noc.untraceable.net>
From: Dan Riley <dsr@mail.lns.cornell.edu>
Date: 19 Oct 2000 12:03:39 -0400
In-Reply-To: Andrew Brown's message of "Thu, 19 Oct 2000 01:33:48 -0400"
Message-ID: <shk8b4izs4.fsf@lns130.lns.cornell.edu>
Lines: 25

>and some people legitimately *really* don't want ssh installed setuid.

In particular, watch out for suid ssh with Kerberos.  With the stock
ssh prior to 1.2.27, suid ssh with Kerberos was a huge security hole.
Starting several revisions before 1.2.27, ssh stopped doing uid
swapping, instead forking a child process to read anything that had to
be accessed as the user.  The Kerberos code knows nothing about this,
so it accesses the credentials cache as the effective user from the
parent ssh--making suid ssh a trivial way to steal credentials.  After
I reported this problem, ssh-1.2.27 added code to disable kerberos
authentication if the client is suid[1] (has anyone checked that all
the NetBSD patches respect this?).  The realization that there is tons
of contributed code in ssh, some of which almost certainly has not
been audited for euid=0 safeness, convinced me that suid ssh is best
avoided if at all possible.

[1] with the *highly* misleading ChangeLog entry

        * Kerberos authentication disabled, if client is suid-root.
          This is the only way to avoid security problems that are
          in Kerberos rather than in ssh.
-- 
Dan Riley                                         dsr@mail.lns.cornell.edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"