[Bug 1733] Enhance support for QoS (ToS) by supporting DSCP/CS and adding option

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 27 06:51:30 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1733

--- Comment #16 from Gary T. Giesen <giesen at snickers.org>  ---
You're confusing the settings for the daemon (sshd_config, which
obviously only root should be able to change) with the settings for the
client (ssh_config) when someone makes an outbound connection.

The settings for the daemon can't be bypassed since obviously it
requires root privileges to launch it to listen on port 22.

The settings for the client should be freely settable by the user, just
as it is with the -S option for telnet. I have no problems with having
smart defaults in ssh_config, but they definitely should be able to be
overridden.

In the end, there's no sense having a setting which provides no
security whatsoever (but looks like it does). If a user is malicious,
they can compile their own ssh client with the settings they want and
bypass your config anyways. Since the kernel doesn't enforce any
privileges on the setting of the DSCP markings, you shouldn't either.
Thus it only makes sense to provide a configurable default.

Keep in mind it's up to the network to trust and enforce DSCP markings,
so that's the proper place for these kind of access controls to appear.
Otherwise you'll need to convince the various *nix vendors to require
privileges on setting DSCP markings.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list