--On Tuesday, January 23, 2001 4:07 PM -0600 Jim Barlow
<[EMAIL PROTECTED]> wrote:
> We have been using ssh1 with kerberos 5 at our site for a number of years.
> We now have a situaation where a user "needs" both kerberos and RSARhosts
> authentication. However, kerberos is disabled when the ssh client is suid
> because of the KRB5CCNAME environment variable exploit. Has this ever
> been fixed, or anyone have a patch to fix it?
>
> We are going to start looking at ssh2 since it looks like it now has
> kerberos 5 authentication. Does this have the same problem as ssh1
> (ssh cannot be suid for kerberos to work)?
There is no sane reason for RSARhosts to require that the client be setuid
root (or have a port <1024). I posted patches for SSH1 many moons ago that
added a server option to remove this piece of sillyness. They should still
be lingering around on ftp://ftp.cs.columbia.edu/pub/carson
somewhere.
--
Carson
