change in rhosts-rsa behavior

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Tue Apr 24 23:58:02 EST 2001


On Tue, Apr 24, 2001 at 09:48:00AM -0400, Michael Stone wrote:
> On Tue, Apr 24, 2001 at 03:40:13PM +0200, Markus Friedl wrote:
> > privileged ports require setuid root and cause problems.
> 
> Don't you need this anyway to read the private key? If you install
> without suid, didn't everything else work find without privileged ports?

probably not in the future.  an external program can do this
for protocol version 2.

> > openssh's sshd does not require this.
> 
> It did up until a little while ago. Wouldn't it make sense to change the
> server default first, wait a major release, and then change the client
> default?

there was a release between these changes.

> > you can always force the client to allocate privileged ports.
> 
> openssh seems to have a nasty habit of breaking compatibility a *lot*.

not that i'm aware of.

please, show me.

> (It's one of the things I hear quite often when people are installing
> new openssh's.) It would be nice if compatibility concerns were given
> more weight, especially in a case like this, where the benefits of the
> change aren't really driven by security.

we got much more complaints with:
	"why does openssl allocate a privileged port"
than
	"why does openssl not allocate a privileged port"

plus: this change is driven by security, since openssh's client
should not need to be setuid in the future.

-m



More information about the openssh-unix-dev mailing list