Date: Mon, 2 Nov 1998 23:29:22 +1300 (NZDT) From: Andrew McNaughton <andrew@squiz.co.nz> To: Dima Ruban <dima@best.net> Cc: "Matthew N. Dodd" <winter@jurai.net>, jkb@best.com, peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <Pine.BSF.4.01.9811022251520.771-100000@aniwa.sky> In-Reply-To: <199811020829.AAA26460@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2 Nov 1998, Dima Ruban wrote: > Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) > > Matthew N. Dodd writes: > > On Mon, 2 Nov 1998, Dima Ruban wrote: > > > Heh. I see you run nfs on your machine. Now tell me, do you actually > > > allow weak NFS authentication, or do you actually somehow relie on a > > > "priviledged port" stuff? > > > > I'm relying on mountd to disallow mount requests from all IPs but known > > good ones. > > Don't forget about spoofing :-) > > > Actually, thanks for pointing this out; sasami only uses NFS for some > > weird AMD tricks and should even be honoring any portmap connections from > > the world. I've fixed this. (Why can't we get tcpwrappers in tree and > > enable HBA for portmap by default?) > > Use firewall. > > > > I'm not arguing about whether it's good or bad to have priviledged > > > ports as they are now. All I'm saying is if packet came from a > > > priviledged port, then this packet was send by root. It's a totally > > > different question whether you can 100% believe this information. > > > > >From a security standpoint, you have to assume that anything you hear is a > > lie. > > There's a small difference between feeling reasonable secure and being > paranoid. You can always disconnect yourself completely from the network, you > know. But since you read this mail, I think it would be safe to make an > assumption that you're trying to be reasonable secure (hey, you kinda trust > sendmail, which runs as root etc etc etc etc) Sure you trust sendmail as far as you have to on your own machine. In particular you trust it to guard against malicious clients including those on other machines. The whole point of ssh is that it allows you to stop relying on the network to be secure. Ssh is at its best when the connection is only available on presentation of an authorised key. Given this there's no need for any trusted port stuff. It adds nothing. I guess it's nice that rhosts/shosts authentication is there for those who want it, but to my mind the client should not be suid by default. At least not for the sake of connecting to a 'trusted' port. There is another reason for having a suid client, although ssh doesn't make use of it. That is for providing a barrier within the client machine which safeguards the encryption keys and limits which users have access to a given secure connection. Say you have a cgi script which needs an encrypted connection to a service on another machine. You want it to be able to use an authorized key's priviledges, but in the case where the script is compromised, you do not want that key to be stolen. Ssh doesn't seem to provide for root owned keys though. So you're back to setting up ssh forwarding from a local port - better than rhosts/shosts, but some sort of authentication has to be worked out. Probably you use either a file socket or a suid wrapper to ssh. I guess this could be suid to a non-root user which has access to the keys. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9811022251520.771-100000>