Date: Sat, 18 Aug 2001 13:19:26 +0300 From: Valentin Nechayev <netch@iv.nn.kiev.ua> To: Olafur Osvaldsson <oli@isnic.is> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: ssh and setuid Message-ID: <20010818131925.A1393@iv.nn.kiev.ua> In-Reply-To: <20010815162132.J70497@isnic.is>; from oli@isnic.is on Wed, Aug 15, 2001 at 04:21:32PM %2B0000 References: <20010815162132.J70497@isnic.is>
next in thread | previous in thread | raw e-mail | index | archive | help
Wed, Aug 15, 2001 at 16:21:32, oli (Olafur Osvaldsson) wrote about "ssh and setuid": [...] > As the ssh in FreeBSD is by default not setuid it uses a higher than privileged > port for connecting so obviously that is the reason for my troubles. > > Wouldn't it be better to only disable rhosts_authentication instead of disabling > both when the port is not privileged or atleast have this as an option in > make.conf for those that want this option without setting the setuid bit on ssh? RhostsRSAAuthentication needs private key of client host. Private key should be readable only for root, i.e. non-setuid ssh cannot read it. Hence, I can try to determine logic of disabling RhostsRSAAuthentication when connect was from non-privileged port: it quickly disables faked host key checking without semi-expensive RSA/DSA computations. But, there is another problem here: can client host create more than 512 outgoing ssh connections? In such case port range 512...1023 will be exhausted, and RhostsRSAAuthentication will fail insuspectively. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010818131925.A1393>