#911974 openssh-client: please avoid shipping setuid ssh-keysign by default

Package:
openssh-client
Source:
openssh
Description:
secure shell (SSH) client, for secure access to remote machines
Submitter:
Daniel Kahn Gillmor
Date:
2026-05-15 11:59:02 UTC
Severity:
wishlist
#911974#5
Date:
2018-10-26 19:05:07 UTC
From:
To:
/usr/lib/openssh/ssh-keysign is one of only a few setuid programs left
on a modern system.  It looks like it is *probably* relatively safe --
not enabled by default due to configurations set in
/etc/ssh/ssh_config, checking that config file early before doing much
else, etc.

however, i suspect that this file isn't used at all by most people
(host-based authentication is generally discouraged), and those admins
that do require it can probably install a separate package, or answer
a non-default debconf question, or something comparable that doesn't
leave a setuid binary on most installations.

Reducing the setuid attack surface would be nice!
#911974#10
Date:
2026-05-15 11:56:01 UTC
From:
To:
There was once a debconf question for this, but I disabled it in
https://salsa.debian.org/ssh-team/openssh/-/commit/38f80c0a13d58fe27fbf5b2bae09368d3db4c09c
in an attempt to simplify the packaging.

The existence of https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
does indeed suggest that it would be worth reducing the attack surface
here.