Binding ssh to priviledged port breaks rule (port < 1024 => system service)
Ola Sigurdson
Ola at Sigurdson.SE
Tue Feb 15 00:49:14 EST 2000
Well, yes I know how to turn it off.
What I'm saying is that suid should be turned off by default as it will
cause problems for a large subset of sites who only want to use ssh as a
secure telnet replacement.
(If you want to allow automatic logins without passwords you anyway have
some serious thinking and configuration to do. Turning on the suid bit
is not that big a deal in that case. From ssh.1: /etc/hosts.equiv,
.rhosts, and the rlogin/rsh protocol in general, are inherently insecure
and should be disabled if security is desired. )
Markus Friedl wrote:
>
> On Mon, Feb 14, 2000 at 01:54:00PM +0100, Ola Sigurdson wrote:
> > I'm sure there is a rationale for binding the ssh client to a
> > priviledged port. (Which?)
>
> for rhosts/rhosts-rsa authentication the server has to trust the
> username supplied by the client program.
>
> the client is only trusted if it runs as root and 'shows' its
> privileges by binding to a random low port.
>
> you can turn this behaviour of with:
> Host *
> UsePrivilegedPort no
> or
> Host *
> RhostsAuthentication no
> RhostsRSAAuthentication no
>
> -markus
More information about the openssh-unix-dev
mailing list