Rhosts Authentication broken in 3.4.p1???

[Randy Zagar]

Has ANYONE been able to verify that Rhosts authentication works with 
3.4.p1?  Does it work with other SSHv2 implementations?  Anybody tried 
it on a RedHat 7.3 system?

Also, I'm curious about this code I found in sshd.c:


     /*
      * Check that the connection comes from a privileged port.
      * Rhosts-Authentication only makes sense from priviledged
      * programs.  Of course, if the intruder has root access on his
      * local machine, he can connect from any port.  So do not use these
      * authentication methods from machines that you do not trust.
      */
      if (options.rhosts_authentication &&
         (remote_port >= IPPORT_RESERVED ||
          remote_port < IPPORT_RESERVED / 2)) {
             debug("Rhosts Authentication disabled, "
                 "originating port %d not trusted.", remote_port);
             options.rhosts_authentication = 0;
      }

It looks to me like this overrides the config file without offering any 
way to override this policy.  Also, I think this would cause 
compatability problems with the non-commercial F-Secure SSH-2.4.x client 
as it does not use privileged ports for root client connections.

As a general rule I like to see security and authentication policy 
determined by config file and not by hard-coding it into the source. 
This code doesn't follow that paradigm.

-Randy