From owner-freebsd-stable Sat Mar 3 22:26:53 2001 Delivered-To: freebsd-stable@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id DD09D37B718 for ; Sat, 3 Mar 2001 22:26:48 -0800 (PST) (envelope-from dima@unixfreak.org) Received: from hornet.unixfreak.org (hornet [63.198.170.140]) by bazooka.unixfreak.org (Postfix) with ESMTP id 9D6723E09; Sat, 3 Mar 2001 22:26:48 -0800 (PST) To: "Jim C. Nasby" Cc: freebsd-stable@freebsd.org Subject: Re: SSH using un-privileged ports In-Reply-To: <3AA1DDFE.B9DDD347@nasby.net>; from jim@nasby.net on "Sun, 04 Mar 2001 00:17:34 -0600" Date: Sat, 03 Mar 2001 22:26:48 -0800 From: Dima Dorfman Message-Id: <20010304062648.9D6723E09@bazooka.unixfreak.org> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Jim C. Nasby" writes: > Has OpenSSH in -stable changed recently to cause it not to connect from > a privileged port? My old firewall rules have suddenly stopped working, I don't know exactly when, but it did change. Actually, what changed was that /usr/bin/ssh is no longer installed setuid to root; that makes it unable to use privileged ports. If you want it installed setuid to root, set: ENABLE_SUID_SSH= true in /etc/make.conf. That will make your next installworld install it setuid to root. In the meantime, you can manually change it using `chmod 4555 /usr/bin/ssh` (or if you have an overpowered computer, you can just do the installworld and be on the safe side :-) ). > The only reason I really care is that it seems to be marginally safer to > allow from any 0-1023 to any 22 than from any to any 22, but maybe I'm > just dreaming here... :) In any case, this does seem to be at odds with I don't think it provides any additional security. The only time it may help is if you think someone might want to use a computer that isn't theirs to connect to your computer. If the former doesn't have ssh installed, and this person doesn't have root access to it, they wouldn't be able to connect to you. It helps in the sense that someone won't have their resources abused, but it doesn't help you directly since they can always use their own computer (or one they have root access to). Hopefully that wasn't too confusing. Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message