Re: SSH LocalForward

[bandregg () REDHAT COM (Bryan Andregg)]

On Tue, 5 Aug 1997 00:33:39 -0400, Kyle Amon wrote:

> In fact, I also recommed taking this step a little further.  You can help
> to ensure that ssh is not used with 'rhosts' or 'RSA rhosts' authentication
> even if the setuid bit is set (or later reset), by configuring your router's
> ACLs to only accept ssh source ports of 1024 and above.  Of course, this
> won't help connections that don't go through the routers, but it adds a
> little bit of extra protection and even flexibility.  For example, in an
> environment with a medium internal trust level and low external trust level,
> it might be desirable to allow 'rhosts' and/or 'RSA rhosts' authentication
> internally and yet insure that this relaxed posture is not also a 'feature'
> to the outside world.  You could leave the ssh setuid bit on and configure
> internal routers to accept ssh source ports of 1022 and above while
> configuring border routers to only accept ssh source ports of 1024 and above.
> You could then allow the more relaxed posture internally while not also
> relaxing your trust of the outside world OR prohibiting more secure 'RSA
> only' (augmented with S/Key, etc. if desired) ssh trafic from/to the outside
> world.  This could be especially usefull in complex transitive trust
> environments.

Actually blocking ssh from ports lower than 1024 causes problems who use ssh
as root. When using ssh as root (non-setuid even) ssh uses a reserved port
still.

--
                Bryan C. Andregg * <bandregg () redhat com> * Red Hat Software

"Sure, to you she's just a set of intercorrelated coordinates.
       What fun is that?" -- 'Experiment Zero', Man or Astroman?

"Donnie were much more 'user-friendly'. May be you selective
       about friends:-)" -- Levente Farkas