1. "ssh-keysign" has to be setuid root in order to allow "ssh" (which is not setuid root) to read the host keys (which are readable only by root) in SSH2 host based authentication. 2. use an empty subdir for the priviledge separation and make only this one owned by root (as required by Linux)

openssh/openssh.spec

@@ -158,7 +158,7 @@ AutoReqProv:  no
           --with-mantype=man \
           --with-default-path=%{l_prefix}/bin:/bin:/usr/bin:/usr/local/bin \
           --with-privsep-user=%{l_nusr} \
-          --with-privsep-path=%{l_prefix}/var/openssh
+          --with-privsep-path=%{l_prefix}/var/openssh/empty
 
       #   build package
       %{l_make} %{l_mflags -O}
@@ -184,7 +184,9 @@ AutoReqProv:  no
         %{SOURCE ssh-askpass} $RPM_BUILD_ROOT%{l_prefix}/libexec/openssh/
 
     #   make sure the state directory exists
-    %{l_shtool} mkdir -f -p -m 755 $RPM_BUILD_ROOT%{l_prefix}/var/openssh
+    %{l_shtool} mkdir -f -p -m 755 \
+	    $RPM_BUILD_ROOT%{l_prefix}/var/openssh \
+	    $RPM_BUILD_ROOT%{l_prefix}/var/openssh/empty
 
     #   install addons
     %{l_shtool} install -c -m 755 -e 's;@l_prefix@;%{l_prefix};g' \
@@ -210,7 +212,8 @@ AutoReqProv:  no
     %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
         %{l_files_std} \
         '%config %{l_prefix}/etc/openssh/*' \
-        '%dir %attr(700,root,root) %{l_prefix}/var/openssh'
+        '%attr(4711,root,%{l_mgrp}) %{l_prefix}/libexec/openssh/ssh-keysign' \
+        '%dir %attr(700,root,root) %{l_prefix}/var/openssh/empty'
 
 %files -f files