Does anyone use UsePrivilegedPort=yes or setuid ssh(1) ?
Gert Doering
gert at greenie.muc.de
Fri Jul 6 19:36:44 AEST 2018
Hi,
On Fri, Jul 06, 2018 at 05:54:24PM +1000, Darren Tucker wrote:
> On 6 July 2018 at 17:24, Gert Doering <gert at greenie.muc.de>wrote:
> [...]
> > I think we have one customer connection where their firewall admin
> > thinks "it is more secure that way" - read, we can't ssh in if we come
> > from high ports.
> >
> > OTOH, thanks for the pointer with ProxyCommand - it's a very specific
> > niche problem with a viable workaround, so I can't think of any
> > remaining reason why we'd want suid ssh anymore ;-)
>
> There's another possibility: if you have a NAT-capable packet filter
> in the path you might be able to remap the source ports using source
> NAT. I think that'd be --to-source=1.2.3.4:800:1023 in iptables (not
> sure about other systems, I didn't see an obvious way to do it with
> PF).
While feasible, I wouldn't actually want to do that. "If there needs to
be something special in SSH for this particular customer, I want this
to be visible in /etc/ssh/ssh_config".
If I hide it in the network, nobody but me will understand why things
are working, and I will eventually forget...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
More information about the openssh-unix-dev
mailing list