From ishizuka@xephion.ne.jp Tue Apr 24 23:05:59 2001 Return-Path: Received: from cima.nw.xephion.ne.jp (cima.nw.xephion.ne.jp [211.9.226.131]) by hub.freebsd.org (Postfix) with ESMTP id 2EC8037B42C for ; Tue, 24 Apr 2001 23:05:58 -0700 (PDT) (envelope-from ishizuka@xephion.ne.jp) Received: (from ishizuka@localhost) by cima.nw.xephion.ne.jp (8.11.3/8.11.1/2000-11-24) id f3P65s402055; Wed, 25 Apr 2001 15:05:54 +0900 (JST) Message-Id: <200104250605.f3P65s402055@cima.nw.xephion.ne.jp> Date: Wed, 25 Apr 2001 15:05:54 +0900 (JST) From: Masachika ISHIZUKA Reply-To: ishizuka@xephion.ne.jp To: FreeBSD-gnats-submit@freebsd.org Cc: ishizuka@cima.nw.xephion.ne.jp Subject: ssh cannot login without password when using ~/.shosts X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 26832 >Category: bin >Synopsis: ssh cannot login without password when using ~/.shosts >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 24 23:10:01 PDT 2001 >Closed-Date: Sat Apr 28 19:08:48 PDT 2001 >Last-Modified: Sat Apr 28 19:09:08 PDT 2001 >Originator: Masachika ISHIZUKA >Release: FreeBSD 4.3-RELEASE i386 >Organization: >Environment: System: FreeBSD cima.nw.xephion.ne.jp 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Wed Apr 25 11:30:19 JST 2001 root@:/usr/src/sys/compile/cima i386 >Description: ssh cannot login without password when using ~/.shosts >How-To-Repeat: >Fix: chmod u+s /usr/bin/ssh >Release-Note: >Audit-Trail: From: Peter Pentchev To: Masachika ISHIZUKA Cc: FreeBSD-gnats-submit@freebsd.org, ishizuka@cima.nw.xephion.ne.jp Subject: Re: bin/26832: ssh cannot login without password when using ~/.shosts Date: Wed, 25 Apr 2001 09:41:44 +0300 On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote: > > >Number: 26832 > >Category: bin > >Synopsis: ssh cannot login without password when using ~/.shosts > >Originator: Masachika ISHIZUKA > >Environment: > System: FreeBSD cima.nw.xephion.ne.jp 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Wed Apr 25 11:30:19 JST 2001 root@:/usr/src/sys/compile/cima i386 > >Description: > ssh cannot login without password when using ~/.shosts > >How-To-Repeat: > > >Fix: > chmod u+s /usr/bin/ssh Mmmm.. I would rather think the correct fix is putting: ENABLE_SETUID_SSH=true in your /etc/make.conf, as documented in /etc/defaults/make.conf. G'luck, Peter -- What would this sentence be like if it weren't self-referential? From: Masachika ISHIZUKA To: roam@orbitel.bg Cc: FreeBSD-gnats-submit@freebsd.org, ishizuka@ish.org Subject: Re: bin/26832: ssh cannot login without password when using ~/.shosts Date: Wed, 25 Apr 2001 18:29:53 +0900 > On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote: > >>>Number: 26832 >>>Category: bin >>>Synopsis: ssh cannot login without password when using ~/.shosts >>>Originator: Masachika ISHIZUKA >>>Fix: >> chmod u+s /usr/bin/ssh > > Mmmm.. I would rather think the correct fix is putting: > ENABLE_SETUID_SSH=true > > in your /etc/make.conf, as documented in /etc/defaults/make.conf. Dear, Peter-san. Thank you for reply. It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh && make && make install", but do all users to use .shosts install ssh source code, and why is the suid bit of ssh removed from 4.2R to 4.3R ? Any security reasons ? -- ishizuka@ish.org From: Peter Pentchev To: Masachika ISHIZUKA Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/26832: ssh cannot login without password when using ~/.shosts Date: Wed, 25 Apr 2001 13:14:34 +0300 On Wed, Apr 25, 2001 at 06:29:53PM +0900, Masachika ISHIZUKA wrote: > > On Wed, Apr 25, 2001 at 03:05:54PM +0900, Masachika ISHIZUKA wrote: > > > >>>Number: 26832 > >>>Category: bin > >>>Synopsis: ssh cannot login without password when using ~/.shosts > >>>Originator: Masachika ISHIZUKA > >>>Fix: > >> chmod u+s /usr/bin/ssh > > > > Mmmm.. I would rather think the correct fix is putting: > > ENABLE_SETUID_SSH=true > > > > in your /etc/make.conf, as documented in /etc/defaults/make.conf. > > Dear, Peter-san. > Thank you for reply. > It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf > and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh > && make && make install", but do all users to use .shosts install > ssh source code, and why is the suid bit of ssh removed from 4.2R to > 4.3R ? Any security reasons ? Yes, for existing installations, the SSH client binary has to be chmod'd by hand. And yes, there were security reasons for removing the setuid bit on the SSH client - there was at least one known vulnerability, which could be used for subverting the SSH client, and there is no guarantee that more such vulnerabilities won't creep up in the future. Since it is quite rare that people are using rhosts/shosts based authentication, the majority of FreeBSD installations do not need a setuid SSH client. For those that do, there is the 'chmod by hand' workaround for an existing installation, and the /etc/make.conf knob for rebuilding. I apologize for my somewhat summary and not quite thought-out reply; the case of new installations which are not rebuilt totally slipped my mind. As a side point, rhosts/shosts-based authentication could be replaced with something else which does not require a setuid client - e.g. with public-key authentication (it is quite trivial to generate a public key with an empty password). This could have other issues - the keys should be placed on all machines, the secret portion of the key should be placed on all machines from which you need to log in (this could mean placing secret keys on NFS-exported homedirs.. ugh).. but in some cases, public-key based authentication is a better solution. G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. From: Masachika ISHIZUKA To: roam@orbitel.bg Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/26832: ssh cannot login without password when using ~/.shosts Date: Thu, 26 Apr 2001 11:09:19 +0900 >>>>>Number: 26832 >>>>>Category: bin >>>>>Synopsis: ssh cannot login without password when using ~/.shosts >>>>>Originator: Masachika ISHIZUKA >>>>>Fix: >>>> chmod u+s /usr/bin/ssh >> >> It can be fixed to add "ENABLE_SETUID_SSH=true" in /etc/make.conf >> and "cd /usr/src/secure/lib/libssh && make && cd ../../usr.bin/ssh >> && make && make install", but do all users to use .shosts install >> ssh source code, and why is the suid bit of ssh removed from 4.2R to >> 4.3R ? Any security reasons ? > > Yes, for existing installations, the SSH client binary has to be chmod'd > by hand. And yes, there were security reasons for removing the setuid > bit on the SSH client - there was at least one known vulnerability, which > could be used for subverting the SSH client, and there is no guarantee > that more such vulnerabilities won't creep up in the future. Since it is > quite rare that people are using rhosts/shosts based authentication, > the majority of FreeBSD installations do not need a setuid SSH client. > For those that do, there is the 'chmod by hand' workaround for an existing > installation, and the /etc/make.conf knob for rebuilding. > > I apologize for my somewhat summary and not quite thought-out reply; > the case of new installations which are not rebuilt totally slipped my mind. > > As a side point, rhosts/shosts-based authentication could be replaced > with something else which does not require a setuid client - e.g. with > public-key authentication (it is quite trivial to generate a public key > with an empty password). This could have other issues - the keys should > be placed on all machines, the secret portion of the key should be placed > on all machines from which you need to log in (this could mean placing > secret keys on NFS-exported homedirs.. ugh).. but in some cases, public-key > based authentication is a better solution. Dear, Peter-san Thank you very much for mail. I understood and agree with you that the public-key based authentication is better. We managed more than 200 machines and it is too hard to replace authentication method soon. We will try to introduce public-key based authentication. -- ishizuka@ish.org State-Changed-From-To: open->closed State-Changed-By: dd State-Changed-When: Sat Apr 28 19:08:48 PDT 2001 State-Changed-Why: Originator has been introduced to ENABLE_SETUID_SSH http://www.freebsd.org/cgi/query-pr.cgi?pr=26832 >Unformatted: