ssh client and privileged ports

Florent Ouchet ouchet.florent at
Wed Jul 7 20:10:47 EST 2010


The ssh client checks for privileged ports when a local forward is about to be set. This is done in readconf.c's function "add_local_forward":

    if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
        fatal("Privileged ports can only be forwarded by root.");

The constant IPPORT_RESERVED is system wide and fixed at make time. This test is not compatible with local and dynamic strategies such as authbind. I would like a non-privileged user (uid!=0) to be able to forward local port, such as 443.

Authbind is correctly setup on my Linux box: "$ uptime | authbind nc -l 443" runs smoothly.
But "$ authbind ssh -L 443:someserver:443 ..." does not because of the previous check.

IMO the check should not be done when parsing the argument of the ssh client. The client should die when the port opening fails.

I've not reported the bug/compatibility issue yet, I would like some feedback from OpenSSH developers before.


- Florent Ouchet

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail

More information about the openssh-unix-dev mailing list