mailing list archives
Re: SSH LocalForward
From: bandregg () REDHAT COM (Bryan Andregg)
Date: Tue, 5 Aug 1997 13:29:28 -0400
On Tue, 5 Aug 1997 00:33:39 -0400, Kyle Amon wrote:
In fact, I also recommed taking this step a little further. You can help
to ensure that ssh is not used with 'rhosts' or 'RSA rhosts' authentication
even if the setuid bit is set (or later reset), by configuring your router's
ACLs to only accept ssh source ports of 1024 and above. Of course, this
won't help connections that don't go through the routers, but it adds a
little bit of extra protection and even flexibility. For example, in an
environment with a medium internal trust level and low external trust level,
it might be desirable to allow 'rhosts' and/or 'RSA rhosts' authentication
internally and yet insure that this relaxed posture is not also a 'feature'
to the outside world. You could leave the ssh setuid bit on and configure
internal routers to accept ssh source ports of 1022 and above while
configuring border routers to only accept ssh source ports of 1024 and above.
You could then allow the more relaxed posture internally while not also
relaxing your trust of the outside world OR prohibiting more secure 'RSA
only' (augmented with S/Key, etc. if desired) ssh trafic from/to the outside
world. This could be especially usefull in complex transitive trust
Actually blocking ssh from ports lower than 1024 causes problems who use ssh
as root. When using ssh as root (non-setuid even) ssh uses a reserved port
Bryan C. Andregg * <bandregg () redhat com> * Red Hat Software
"Sure, to you she's just a set of intercorrelated coordinates.
What fun is that?" -- 'Experiment Zero', Man or Astroman?
"Donnie were much more 'user-friendly'. May be you selective
about friends:-)" -- Levente Farkas