Does anyone use UsePrivilegedPort=yes or setuid ssh(1) ?

Darren Tucker dtucker at dtucker.net
Fri Jul 6 15:58:30 AEST 2018


Hi.

Does anyone use UsePrivilegedPort or have ssh(1) setuid, and if so for
what use case?

ssh(1) has had code in it to support installing setuid root since
approximately forever, however OpenBSD has not shipped it in that
configuration since 2002 (and I suspect these days no vendor does).

As far as I can tell, all of the reasons for this no longer apply:

 - setuid root was needed to bind to a privileged (low numbered) ports.
 - privileged ports were needed for rhosts and rhostsrsa
authentication.  rhosts is long dead, and rhostsrsa went with the last
of Protocol 1.
 - root privileges were needed to read the host keys for Protocol 2
hostbased authentication, but that need was replaced by the
ssh-keysign setuid helper program, also in 2002.

So, does anyone use these and if so why?  If it's for low numbered
ports, there are safer ways to do that these days (CAP_NET_BIND or
similar if you have it, or a small setuid ProxyCommand).

Thanks.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list