ENABLE_SUID_SSH in make.conf

Oliver Fromme olli at lurza.secnetix.de
Wed Oct 18 07:25:38 UTC 2006

Ruslan Ermilov wrote:
 > Albert Chin wrote:
 > > According to make.conf(5):
 > >                    (bool) Set this to install ssh(1) with the
 > >                    set-user-ID bit turned on.
 > >  
 > > However, I think ENABLE_SUID_SSH only sets the suid bit for
 > > /usr/libexec/ssh-keysign.

That name exists for historical reasons.  Some time ago it
was ssh(1) itself which got the suid bit in order to be
able to read the private host key (which is readable by
root only).  Access to that key is required for host-based
authentication (disabled by default).  Hence the variable

But then the OpenSSH folks decided that it is preferable
not to make ssh(1) suid root.  They created a small tool
to access the private host key, and made only that tool
setuid root.  That's ssh-keysign(8).  However, the name
of the variable wasn't changed, so hostbased authentication
didn't break for those people who enabled it.

 > > Why isn't /usr/libexec/ssh-keysign suid by default anyway? It's
 > > pointless without it.
 > Good question.  Let's see what our maintainer has to say about it.
 > My feeling as well is that the option should just be removed.

Personally I have never used ssh-keysign, because I think
that host-based authentication (which is the only thing
that requires ssh-keysign to be suid-root) is too insecure.
I guess most people don't even know that it exists.  :-)

Since I prefer not to have any superfluous suid binaries on
my system, I'm quite happy with the default of ssh-keysign
not being suid-root.  Note that host-based authentication
is disabled by default anyway (for good reason), so it
doesn't really make sense to make ssh-keysign suid-root by

For the reasons outlined above, I recommend not to change
anything at all, except correcting the documentation in
make.conf(5) and in /usr/share/examples/etc/make.conf,
like this:

      (bool) Set this to install ssh-keysign(8) with the
      set-user-ID bit turned on.  This is only required
      for hostbased authentication which is disabled by
      default.  See the description of the ~/.rhosts and
      /etc/hosts.equiv files in sshd(8) for details.

Best regards

Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"The ITU has offered the IETF formal alignment with its
corresponding technology, Penguins, but that won't fly."
        -- RFC 2549

More information about the freebsd-stable mailing list