From 7a5f8b87af7142ce973bd88abf98279ce15559a9 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue, 14 Jan 2025 04:06:44 -0500
Subject: [PATCH] permission hardener: disable SUID for `ssh-agent`,
 `ssh-keysign`, `/lib/openssh/*`

This might break SSH host-based authentication.
---
 .../25_default_whitelist_ssh.conf                    | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
index 5511112..2d5f786 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@@ -5,7 +5,11 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
-## TODO: research
-ssh-agent matchwhitelist
-ssh-keysign matchwhitelist
-/lib/openssh matchwhitelist
+## Used only for SSH host-based authentication
+## https://linux.die.net/man/8/ssh-keysign
+## Needed to allow access to the machine's host key for use in the
+## authentication process. This is a non-default method of authenticating to
+## SSH, and is likely rarely used, thus this should be safe to disable.
+#ssh-agent matchwhitelist
+#ssh-keysign matchwhitelist
+#/lib/openssh matchwhitelist