From 5cac423871b406a474149c5a0c3b1085ef1fd0f4 Mon Sep 17 00:00:00 2001
From: Ben Lindstrom <mouring@eviladmin.org>
Date: Tue, 11 Jun 2002 15:45:02 +0000
Subject:    - stevesk@cvs.openbsd.org 2002/06/09 22:15:15      [ssh.1]     
 update for no setuid root and ssh-keysign; ok deraadt@

---
 ChangeLog |  6 +++++-
 ssh.1     | 25 +++++++++++++++++++++----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fdfc0f0d4..34a863b1b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 20020611
  - (bal) ssh-agent.c RCSD fix (|unexpand already done)
+ - (bal) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2002/06/09 22:15:15
+     [ssh.1]
+     update for no setuid root and ssh-keysign; ok deraadt@
 
 20020609
  - (bal) OpenBSD CVS Sync
@@ -865,4 +869,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2199 2002/06/11 15:42:53 mouring Exp $
+$Id: ChangeLog,v 1.2200 2002/06/11 15:45:02 mouring Exp $
diff --git a/ssh.1 b/ssh.1
index ada58e1eb..49b50c391 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.154 2002/06/08 05:17:01 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.155 2002/06/09 22:15:15 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -1105,7 +1105,9 @@ or
 .Dq no .
 The default is
 .Dq yes .
-This option applies to protocol version 1 only.
+This option applies to protocol version 1 only and requires
+.Nm
+to be setuid root.
 .It Cm RSAAuthentication
 Specifies whether to try RSA authentication.
 The argument to this keyword must be
@@ -1376,9 +1378,23 @@ and are used for
 .Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication .
-Since they are readable only by root
+If the protocol version 1
+.Cm RhostsRSAAuthentication
+method is used, 
+.Nm
+must be setuid root, since the host key is readable only by root.
+For protocol version 2,
+.Nm
+uses
+.Xr ssh-keysign 8
+to access the host keys for
+.Cm HostbasedAuthentication .
+This eliminates the requirement that
+.Nm
+be setuid root when that authentication method is used.
+By default
 .Nm
-must be setuid root if these authentication methods are desired.
+is not setuid root.
 .It Pa $HOME/.rhosts
 This file is used in
 .Pa \&.rhosts
@@ -1483,6 +1499,7 @@ protocol versions 1.5 and 2.0.
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr telnet 1 ,
+.Xr ssh-keysign 8,
 .Xr sshd 8
 .Rs
 .%A T. Ylonen
-- 
cgit v1.2.3