Bugtraq mailing list archives

Re: Bug in ssh client (open ssh 2.3.0)

From: Tatu Ylonen <ylo () SSH COM>
Date: Sat, 10 Feb 2001 14:42:23 +0200

* Tomasz Ku?niar wrote:

Ssh client is suid, so it could be real problem. Must check source...


      SUID is only needed when using rhosts or rshost-rsa authentication.
Many installations don't need it. Just set this option [taken from man ssh]:


The SSH2 architecture has been designed so that the client does not need a
SUID bit at all.  SSH2 has a small helper program, ssh-signer2, which does
the signing operation for host based authentication.  This way, the amount
of code that needs to run SUID root is greatly minimized, reducing the
probability of security bugs related to it.

SSH2 also fixes fundamental security problems in the old SSH1 protocol.
SSH1 is DEPRECATED, and people are strongly encouraged to move to using
the SSH2 protocol.

The latest version of SSH2 is ssh-2.4.0, available from
ftp://ftp.ssh.com/pub/ssh.  SSH2 is completely free for any use on Linux,
FreeBSD, NetBSD, and OpenBSD, as well as for use by universities and
charity organizations, and for personal hobby/recreational use by
individuals. (For commercial use, please see http://www.ssh.com/.)

    Tatu

-- 
SSH Communications Security           http://www.ssh.com/
SSH IPSEC Toolkit                     http://www.ipsec.com/
SSH(R) Secure Shell(TM)               http://www.ssh.com/products/ssh

Current thread:

Re: Bug in ssh client (open ssh 2.3.0) Ben Greenbaum (Feb 10)
- <Possible follow-ups>
- Bug in ssh client (open ssh 2.3.0) Tomasz Kuźniar (Feb 10)
  - Re: Bug in ssh client (open ssh 2.3.0) rafal wiosna (Feb 10)
    - Re: Bug in ssh client (open ssh 2.3.0) Tatu Ylonen (Feb 10)
- Re: Bug in ssh client (open ssh 2.3.0) Tatu Ylonen (Feb 12)