binding to privileged ports

Chris Lightfoot chris at ex-parrot.com
Tue Oct 10 07:46:05 EST 2000


On Mon, 9 Oct 2000, Kevin Steves wrote:

> On Mon, 9 Oct 2000, Chris Lightfoot wrote:
> : On Mon, 9 Oct 2000, Markus Friedl wrote:
> : > On Mon, Oct 09, 2000 at 12:14:30AM +0100, Chris Lightfoot wrote:
> : > > This creates problems in environments where a range of privileged ports
> : > > (those which correspond to well-known services) are firewalled out,
> 
> I'm not sure what you mean by firewalled out.

As in, that there exists a firewall between the two hosts on which I am
using ssh/sshd which filters out all privileged ports other than a few
which correspond to services which are actually in use, and a small set of
ports at the top of the range.

> : > > leaving the range from ~850 to 1023 available. From this point of
> : > > view, it would seem desirable to count downwards as stock ssh
> : > > does, rather than upwards.
> : > > 
> : > > What is the reasoning behind this decision?
> : > 
> : > i did not know that i causes problems.
> : 
> : It's a bit of a special case, but I think quite a few firewalls are
> : constructed in this way.
> 
> Are you filtering connections via source port?  If so, how does that
> increase the security of your firewall?  The use of source port <1024 as
> a security mechanism is flawed.

1. Not my firewall.

2. Certainly, relying on port filtering of this sort alone is a flawed
strategy. However, there are valid reasons to do it and IMO probably does
have a tangible security benefit even in conjunction with a more
sophisticated firewall (which is also deployed in this instance).

3. Every other piece of software I have looked at which runs suid root to
allocate a privileged port does so by allocating the highest available
one. I presume that openssh is designed differently for some reason other
than bloody-mindedness; I would be interested to find out what that reason
is.


Chris Lightfoot -- http://www.ex-parrot.com/~chris/
  People who make no mistakes do not usually make anything






More information about the openssh-unix-dev mailing list