[5108] in bugtraq
Re: SSH LocalForward
daemon@ATHENA.MIT.EDU (Bryan Andregg)
Tue Aug 5 14:37:17 1997
Date: Tue, 5 Aug 1997 13:29:28 -0400
Reply-To: Bryan Andregg <bandregg@REDHAT.COM>
From: Bryan Andregg <bandregg@REDHAT.COM>
X-To: Kyle Amon <amonk@LABYRINTH.CFTNET.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 05 Aug 1997 00:33:39 EDT."
<Pine.LNX.3.91.970804233258.15770F-100000@labyrinth.cftnet.com>
On Tue, 5 Aug 1997 00:33:39 -0400, Kyle Amon wrote:
>In fact, I also recommed taking this step a little further. You can help
>to ensure that ssh is not used with 'rhosts' or 'RSA rhosts' authentication
>even if the setuid bit is set (or later reset), by configuring your router's
>ACLs to only accept ssh source ports of 1024 and above. Of course, this
>won't help connections that don't go through the routers, but it adds a
>little bit of extra protection and even flexibility. For example, in an
>environment with a medium internal trust level and low external trust level,
>it might be desirable to allow 'rhosts' and/or 'RSA rhosts' authentication
>internally and yet insure that this relaxed posture is not also a 'feature'
>to the outside world. You could leave the ssh setuid bit on and configure
>internal routers to accept ssh source ports of 1022 and above while
>configuring border routers to only accept ssh source ports of 1024 and above.
>You could then allow the more relaxed posture internally while not also
>relaxing your trust of the outside world OR prohibiting more secure 'RSA
>only' (augmented with S/Key, etc. if desired) ssh trafic from/to the outside
>world. This could be especially usefull in complex transitive trust
>environments.
Actually blocking ssh from ports lower than 1024 causes problems who use ssh
as root. When using ssh as root (non-setuid even) ssh uses a reserved port
still.
--
Bryan C. Andregg * <bandregg@redhat.com> * Red Hat Software
"Sure, to you she's just a set of intercorrelated coordinates.
What fun is that?" -- 'Experiment Zero', Man or Astroman?
"Donnie were much more 'user-friendly'. May be you selective
about friends:-)" -- Levente Farkas
