On Fri, Oct 26, 2018 at 03:05:07PM -0400, Daniel Kahn Gillmor wrote:
/usr/lib/openssh/ssh-keysign is one of only a few setuid programs left
on a modern system. It looks like it is *probably* relatively safe --
not enabled by default due to configurations set in
/etc/ssh/ssh_config, checking that config file early before doing much
else, etc.
however, i suspect that this file isn't used at all by most people
(host-based authentication is generally discouraged), and those admins
that do require it can probably install a separate package, or answer
a non-default debconf question, or something comparable that doesn't
leave a setuid binary on most installations.
Reducing the setuid attack surface would be nice!
There was once a debconf question for this, but I disabled it in
https://salsa.debian.org/ssh-team/openssh/-/commit/38f80c0a13d58fe27fbf5b2bae09368d3db4c09c
in an attempt to simplify the packaging.
The existence of https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
does indeed suggest that it would be worth reducing the attack surface
here.
--
Colin Watson (he/him) [[email protected]]
