ssh client and privileged ports
Florent Ouchet
ouchet.florent at laposte.net
Wed Jul 7 20:10:47 EST 2010
Hello,
The ssh client checks for privileged ports when a local forward is about to be set. This is done in readconf.c's function "add_local_forward":
if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
fatal("Privileged ports can only be forwarded by root.");
The constant IPPORT_RESERVED is system wide and fixed at make time. This test is not compatible with local and dynamic strategies such as authbind. I would like a non-privileged user (uid!=0) to be able to forward local port, such as 443.
Authbind is correctly setup on my Linux box: "$ uptime | authbind nc 127.0.0.1 -l 443" runs smoothly.
But "$ authbind ssh -L 443:someserver:443 ..." does not because of the previous check.
IMO the check should not be done when parsing the argument of the ssh client. The client should die when the port opening fails.
I've not reported the bug/compatibility issue yet, I would like some feedback from OpenSSH developers before.
Regards,
- Florent Ouchet
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
More information about the openssh-unix-dev
mailing list