Portable OpenSSH 2.5.1p1

Michael H. Warfield mhw at wittsend.com
Tue Feb 20 05:52:47 EST 2001


On Mon, Feb 19, 2001 at 07:37:35PM +0100, Gert Doering wrote:
> Hi,

> On Tue, Feb 20, 2001 at 03:00:00AM +1100, Damien Miller wrote:
> > 5) Important changes in the implementation of SSH 1 protocol:

> >     The OpenSSH server does not require a privileged source port for
> >     RhostsRsaAuthentication, since it adds no additional security.

> I don't buy (understand?) that.

> Using RhostsRsaAuthentication, I can give user "A" the right to log into an
> account, but not user "B" on the same client machine.  

> Requiring privileged ports for this means "user B can't compile his own
> ssh client that pretents he's user A", so user B can't easily hack into my
> account.  Now if I don't trust "root" on the client machine, or if B can
> get root access, I'm lost anyway, that's true (but if they have root 
> access, they can hijack my ssh sessions by fiddling with ttys, so in 
> that case, I have lost in any case).

> But if no suid port is required, RostsRsaAuthentication is effectively 
> useless if you're doing this on a multi-user system.

	I think the point here is that the reserved ports boundry is
a Unix fiction that other operating systems don't have to adhere
to.  That means that access to your server is based on policies present
on the client system over which you probably have no control.  If you
can't guarantee that the reserved port designation means anything at all
to the client side, then using it to make security decisions doesn't
really add anything to the security at all.

> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!






More information about the openssh-unix-dev mailing list