Binding ssh to priviledged port breaks rule (port < 1024 => system service)

Ola Sigurdson Ola at Sigurdson.SE
Tue Feb 15 02:28:09 EST 2000


Markus Friedl wrote:
> 
> On Mon, Feb 14, 2000 at 02:49:14PM +0100, Ola Sigurdson wrote:
> > What I'm saying is that suid should be turned off by default as it will
> > cause problems for a large subset of sites who only want to use ssh as a
> > secure telnet replacement.
> 
> ssh is a rsh replacement, too and rhosts-rsa is not
> considered inherently insecure but needs the s-bit.
> please tell me the problems caused by the s-bit.

The problems are not caused by the s-bit as such, they are caused by ssh
binding to a random priviledged port when running as root.

For example if you have a firewall denying traffic to and from port 137
(Netbios) and ssh binds to 137 (on a host not running netbios services)
you will get no connection out, and the firewall will log an illegal
packet.

The majority of people installing ssh do just "make install" or "rpm -U
openssh*" which will give them ssh connections from random priviledged
ports regardless of whether the remote host uses rhost-based login or
not.


Philosophical discussion:

Suid programs are bad, hard to debug and and only exist as a hack around
flawed security models or policies. The less the better.

Regarding the rhost-rsa authentication it is also a hack around a flawed
security model, the idea being to do two very different authentications
at the same time: The user id and the  specific machine id of the
client.

It's better to split the authentication into two different steps, for
example using IPsec to verify the connection, and then using ssh with
rsa chap to verify the user.

Besides, for most applications, user authentication with a rsa
certificate should be enough for access control.





More information about the openssh-unix-dev mailing list