Date: Sat, 03 Mar 2001 22:26:48 -0800 From: Dima Dorfman <dima@unixfreak.org> To: "Jim C. Nasby" <jim@nasby.net> Cc: freebsd-stable@freebsd.org Subject: Re: SSH using un-privileged ports Message-ID: <20010304062648.9D6723E09@bazooka.unixfreak.org> In-Reply-To: <3AA1DDFE.B9DDD347@nasby.net>; from jim@nasby.net on "Sun, 04 Mar 2001 00:17:34 -0600"
next in thread | previous in thread | raw e-mail | index | archive | help
"Jim C. Nasby" <jim@nasby.net> writes: > Has OpenSSH in -stable changed recently to cause it not to connect from > a privileged port? My old firewall rules have suddenly stopped working, I don't know exactly when, but it did change. Actually, what changed was that /usr/bin/ssh is no longer installed setuid to root; that makes it unable to use privileged ports. If you want it installed setuid to root, set: ENABLE_SUID_SSH= true in /etc/make.conf. That will make your next installworld install it setuid to root. In the meantime, you can manually change it using `chmod 4555 /usr/bin/ssh` (or if you have an overpowered computer, you can just do the installworld and be on the safe side :-) ). > The only reason I really care is that it seems to be marginally safer to > allow from any 0-1023 to any 22 than from any to any 22, but maybe I'm > just dreaming here... :) In any case, this does seem to be at odds with I don't think it provides any additional security. The only time it may help is if you think someone might want to use a computer that isn't theirs to connect to your computer. If the former doesn't have ssh installed, and this person doesn't have root access to it, they wouldn't be able to connect to you. It helps in the sense that someone won't have their resources abused, but it doesn't help you directly since they can always use their own computer (or one they have root access to). Hopefully that wasn't too confusing. Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010304062648.9D6723E09>