suid bit sshd

Dan Nelson dnelson at
Fri Aug 20 07:18:31 PDT 2004

In the last episode (Aug 20), Dag-Erling Smorgrav said:
> Maxim Konovalov <maxim at> writes:
> > DES, is it OK to commit a following patch?  Or you were going to
> > deprecate ENABLE_SUID_SSH?  We still have it in make.conf(5),
> > share/examples/etc/make.conf and ssh-keysign/Makefile.
> The whole point with ssh-keysign is to separate out the parts of ssh
> that need a setuid bit.  It should not be necessary for ssh to have a
> setuid bit if ssh-keysign does, which is what ENABLE_SUID_SSH
> controls these days.

ssh-keysign doesn't yet handle SSH 1 keys, though, and a non-root ssh
can't use UsePrivilegedPort which may be needed for
RhostsRSAAuthentication with older servers.  If you're only using SSH-2
keys, and you're only talking to new sshds, then no, you don't need

	Dan Nelson
	dnelson at

More information about the freebsd-current mailing list