Rhosts Authentication broken in 3.4.p1???
Damien Miller
djm at mindrot.org
Thu Oct 31 11:51:15 EST 2002
Randy Zagar wrote:
>
> Has ANYONE been able to verify that Rhosts authentication works with
> 3.4.p1? Does it work with other SSHv2 implementations? Anybody tried
> it on a RedHat 7.3 system?
Don't use rhosts authentication, use hostbased instead.
> Also, I'm curious about this code I found in sshd.c:
>
>
> /*
> * Check that the connection comes from a privileged port.
> * Rhosts-Authentication only makes sense from priviledged
> * programs. Of course, if the intruder has root access on his
> * local machine, he can connect from any port. So do not use these
> * authentication methods from machines that you do not trust.
> */
> if (options.rhosts_authentication &&
> (remote_port >= IPPORT_RESERVED ||
> remote_port < IPPORT_RESERVED / 2)) {
> debug("Rhosts Authentication disabled, "
> "originating port %d not trusted.", remote_port);
> options.rhosts_authentication = 0;
> }
>
> It looks to me like this overrides the config file without offering any
> way to override this policy. Also, I think this would cause
> compatability problems with the non-commercial F-Secure SSH-2.4.x client
> as it does not use privileged ports for root client connections.
>
> As a general rule I like to see security and authentication policy
> determined by config file and not by hard-coding it into the source.
> This code doesn't follow that paradigm
You clearly don't understand rhosts "authentication".
-d
More information about the openssh-unix-dev
mailing list