Bugtraq mailing list archives
Re: SSH LocalForward
From: bandregg () REDHAT COM (Bryan Andregg)
Date: Tue, 5 Aug 1997 13:29:28 -0400
On Tue, 5 Aug 1997 00:33:39 -0400, Kyle Amon wrote:
In fact, I also recommed taking this step a little further. You can help to ensure that ssh is not used with 'rhosts' or 'RSA rhosts' authentication even if the setuid bit is set (or later reset), by configuring your router's ACLs to only accept ssh source ports of 1024 and above. Of course, this won't help connections that don't go through the routers, but it adds a little bit of extra protection and even flexibility. For example, in an environment with a medium internal trust level and low external trust level, it might be desirable to allow 'rhosts' and/or 'RSA rhosts' authentication internally and yet insure that this relaxed posture is not also a 'feature' to the outside world. You could leave the ssh setuid bit on and configure internal routers to accept ssh source ports of 1022 and above while configuring border routers to only accept ssh source ports of 1024 and above. You could then allow the more relaxed posture internally while not also relaxing your trust of the outside world OR prohibiting more secure 'RSA only' (augmented with S/Key, etc. if desired) ssh trafic from/to the outside world. This could be especially usefull in complex transitive trust environments.
Actually blocking ssh from ports lower than 1024 causes problems who use ssh as root. When using ssh as root (non-setuid even) ssh uses a reserved port still. -- Bryan C. Andregg * <bandregg () redhat com> * Red Hat Software "Sure, to you she's just a set of intercorrelated coordinates. What fun is that?" -- 'Experiment Zero', Man or Astroman? "Donnie were much more 'user-friendly'. May be you selective about friends:-)" -- Levente Farkas
Current thread:
- Re: SSH LocalForward Sevo Stille (Aug 02)
- <Possible follow-ups>
- Re: SSH LocalForward Sevo Stille (Aug 03)
- Re: SSH LocalForward long-morrow () CS YALE EDU (Aug 03)
- Re: SSH LocalForward Kyle Amon (Aug 04)
- Netscape Referer header considered harmful? Ronald L. Parker (Aug 04)
- Re: Netscape Referer header considered harmful? Eric Murray (Aug 06)
- Re: SSH LocalForward Bryan Andregg (Aug 05)
- SGI Security Advisory 19970509-02-PX - IRIX ordist Buffer Overrun SGI Security Coordinator (Aug 05)
- IMAPd scans Steve Herman (Aug 06)
- XFREE86 can block reserved ports Willy TARREAU (Aug 06)
- Re: XFREE86 can block reserved ports Alex Belits (Aug 06)
- Re: SSH LocalForward Kyle Amon (Aug 04)