From ishizuka@xephion.ne.jp  Tue Apr 24 23:05:59 2001
Return-Path: <ishizuka@xephion.ne.jp>
Received: from cima.nw.xephion.ne.jp (cima.nw.xephion.ne.jp [211.9.226.131])
	by hub.freebsd.org (Postfix) with ESMTP id 2EC8037B42C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Apr 2001 23:05:58 -0700 (PDT)
	(envelope-from ishizuka@xephion.ne.jp)
Received: (from ishizuka@localhost)
	by cima.nw.xephion.ne.jp (8.11.3/8.11.1/2000-11-24) id f3P65s402055;
	Wed, 25 Apr 2001 15:05:54 +0900 (JST)
Message-Id: <200104250605.f3P65s402055@cima.nw.xephion.ne.jp>
Date: Wed, 25 Apr 2001 15:05:54 +0900 (JST)
From: Masachika ISHIZUKA <ishizuka@xephion.ne.jp>
Reply-To: ishizuka@xephion.ne.jp
To: FreeBSD-gnats-submit@freebsd.org
Cc: ishizuka@cima.nw.xephion.ne.jp
Subject: ssh cannot login without password when using ~/.shosts
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         26832
>Category:       bin
>Synopsis:       ssh cannot login without password when using ~/.shosts
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 24 23:10:01 PDT 2001
>Closed-Date:    Sat Apr 28 19:08:48 PDT 2001
>Last-Modified:  Sat Apr 28 19:09:08 PDT 2001
>Originator:     Masachika ISHIZUKA
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
>Environment:
System: FreeBSD cima.nw.xephion.ne.jp 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Wed Apr 25 11:30:19 JST 2001 root@:/usr/src/sys/compile/cima i386
>Description:
	ssh cannot login without password when using ~/.shosts
>How-To-Repeat:
	
>Fix:
	chmod u+s /usr/bin/ssh
>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@orbitel.bg>
To: Masachika ISHIZUKA <ishizuka@xephion.ne.jp>
Cc: FreeBSD-gnats-submit@freebsd.org, ishizuka@cima.nw.xephion.ne.jp
Subject: Re: bin/26832: ssh cannot login without password when using ~/.shosts
Date: Wed, 25 Apr 2001 09:41:44 +0300

 On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote:
 > 
 > >Number:         26832
 > >Category:       bin
 > >Synopsis:       ssh cannot login without password when using ~/.shosts
 > >Originator:     Masachika ISHIZUKA
 > >Environment:
 > System: FreeBSD cima.nw.xephion.ne.jp 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Wed Apr 25 11:30:19 JST 2001 root@:/usr/src/sys/compile/cima i386
 > >Description:
 > 	ssh cannot login without password when using ~/.shosts
 > >How-To-Repeat:
 > 	
 > >Fix:
 > 	chmod u+s /usr/bin/ssh
 
 Mmmm..  I would rather think the correct fix is putting:
 ENABLE_SETUID_SSH=true
 
 in your /etc/make.conf, as documented in /etc/defaults/make.conf.
 
 G'luck,
 Peter
 
 -- 
 What would this sentence be like if it weren't self-referential?

From: Masachika ISHIZUKA <ishizuka@ish.org>
To: roam@orbitel.bg
Cc: FreeBSD-gnats-submit@freebsd.org, ishizuka@ish.org
Subject: Re: bin/26832: ssh cannot login without password when using
 ~/.shosts
Date: Wed, 25 Apr 2001 18:29:53 +0900

 > On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote:
 >
 >>>Number:         26832
 >>>Category:       bin
 >>>Synopsis:       ssh cannot login without password when using ~/.shosts
 >>>Originator:     Masachika ISHIZUKA
 >>>Fix:
 >> 	chmod u+s /usr/bin/ssh
 > 
 > Mmmm..  I would rather think the correct fix is putting:
 > ENABLE_SETUID_SSH=true
 > 
 > in your /etc/make.conf, as documented in /etc/defaults/make.conf.
 
   Dear, Peter-san.
   Thank you for reply.
   It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf
 and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh
 && make && make install", but do all users to use .shosts install
 ssh source code, and why is the suid bit of ssh removed from 4.2R to
 4.3R ?  Any security reasons ?
 
 -- 
 ishizuka@ish.org

From: Peter Pentchev <roam@orbitel.bg>
To: Masachika ISHIZUKA <ishizuka@ish.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/26832: ssh cannot login without password when using ~/.shosts
Date: Wed, 25 Apr 2001 13:14:34 +0300

 On Wed, Apr 25, 2001 at 06:29:53PM +0900, Masachika ISHIZUKA wrote:
 > > On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote:
 > >
 > >>>Number:         26832
 > >>>Category:       bin
 > >>>Synopsis:       ssh cannot login without password when using ~/.shosts
 > >>>Originator:     Masachika ISHIZUKA
 > >>>Fix:
 > >> 	chmod u+s /usr/bin/ssh
 > > 
 > > Mmmm..  I would rather think the correct fix is putting:
 > > ENABLE_SETUID_SSH=true
 > > 
 > > in your /etc/make.conf, as documented in /etc/defaults/make.conf.
 > 
 >   Dear, Peter-san.
 >   Thank you for reply.
 >   It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf
 > and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh
 > && make && make install", but do all users to use .shosts install
 > ssh source code, and why is the suid bit of ssh removed from 4.2R to
 > 4.3R ?  Any security reasons ?
 
 Yes, for existing installations, the SSH client binary has to be chmod'd
 by hand.  And yes, there were security reasons for removing the setuid
 bit on the SSH client - there was at least one known vulnerability, which
 could be used for subverting the SSH client, and there is no guarantee
 that more such vulnerabilities won't creep up in the future.  Since it is
 quite rare that people are using rhosts/shosts based authentication,
 the majority of FreeBSD installations do not need a setuid SSH client.
 For those that do, there is the 'chmod by hand' workaround for an existing
 installation, and the /etc/make.conf knob for rebuilding.
 
 I apologize for my somewhat summary and not quite thought-out reply;
 the case of new installations which are not rebuilt totally slipped my mind.
 
 As a side point, rhosts/shosts-based authentication could be replaced
 with something else which does not require a setuid client - e.g. with
 public-key authentication (it is quite trivial to generate a public key
 with an empty password).  This could have other issues - the keys should
 be placed on all machines, the secret portion of the key should be placed
 on all machines from which you need to log in (this could mean placing
 secret keys on NFS-exported homedirs.. ugh).. but in some cases, public-key
 based authentication is a better solution.
 
 G'luck,
 Peter
 
 -- 
 This sentence claims to be an Epimenides paradox, but it is lying.

From: Masachika ISHIZUKA <ishizuka@ish.org>
To: roam@orbitel.bg
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/26832: ssh cannot login without password when using
 ~/.shosts
Date: Thu, 26 Apr 2001 11:09:19 +0900

 >>>>>Number:         26832
 >>>>>Category:       bin
 >>>>>Synopsis:       ssh cannot login without password when using ~/.shosts
 >>>>>Originator:     Masachika ISHIZUKA
 >>>>>Fix:
 >>>> 	chmod u+s /usr/bin/ssh
 >> 
 >>   It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf
 >> and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh
 >> && make && make install", but do all users to use .shosts install
 >> ssh source code, and why is the suid bit of ssh removed from 4.2R to
 >> 4.3R ?  Any security reasons ?
 > 
 > Yes, for existing installations, the SSH client binary has to be chmod'd
 > by hand.  And yes, there were security reasons for removing the setuid
 > bit on the SSH client - there was at least one known vulnerability, which
 > could be used for subverting the SSH client, and there is no guarantee
 > that more such vulnerabilities won't creep up in the future.  Since it is
 > quite rare that people are using rhosts/shosts based authentication,
 > the majority of FreeBSD installations do not need a setuid SSH client.
 > For those that do, there is the 'chmod by hand' workaround for an existing
 > installation, and the /etc/make.conf knob for rebuilding.
 > 
 > I apologize for my somewhat summary and not quite thought-out reply;
 > the case of new installations which are not rebuilt totally slipped my mind.
 > 
 > As a side point, rhosts/shosts-based authentication could be replaced
 > with something else which does not require a setuid client - e.g. with
 > public-key authentication (it is quite trivial to generate a public key
 > with an empty password).  This could have other issues - the keys should
 > be placed on all machines, the secret portion of the key should be placed
 > on all machines from which you need to log in (this could mean placing
 > secret keys on NFS-exported homedirs.. ugh).. but in some cases, public-key
 > based authentication is a better solution.
 
   Dear, Peter-san
 
   Thank you very much for mail.
   I understood and agree with you that the public-key based
 authentication is better.  We managed more than 200 machines
 and it is too hard to replace authentication method soon.
   We will try to introduce public-key based authentication.
 -- 
 ishizuka@ish.org
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Sat Apr 28 19:08:48 PDT 2001 
State-Changed-Why:  
Originator has been introduced to ENABLE_SETUID_SSH 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26832 
>Unformatted:
