Call for testing: OpenSSH 7.3

Darren Tucker dtucker at
Fri Jul 22 23:32:51 AEST 2016

On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at> wrote:
> Hmm.  If that only affects Cygwin, and if defines.h is not synced anyway,
> what about getting rid of the configure stuff entirely?
> Tested counterproposal:

Looks reasonable.  It's late here so I'm going to look at it tomorrow.

> As for the comment preceeding the definition, I didn't change it from
> your text in my proposal.  However.
> I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
> terms of the implementation of bindresvport_sa and rcmd.  It's not just
> backward compatibility.  There are also applications out there which
> still expect this value to make sense.

Fair point.

> The *real* problem here is that OpenSSH checks for uid 0 before allowing
> to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
> decide if the current user is allowed to bind that port.
> From my POV this check in OpenSSH is gratuitious and it's the real reason
> we have this problem at all.

In the case of sshd running with privsep off, the process doing the
binding is still running as root and I suspect those checks date back
to when it was always running as root.  It could probably
temporarily_use_uid() though.


Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list