From owner-freebsd-security  Wed Aug  2 23:10:57 2000
Delivered-To: freebsd-security@freebsd.org
Received: from goliath.siemens.de (goliath.siemens.de [194.138.37.131])
	by hub.freebsd.org (Postfix) with ESMTP id 6709637B70E
	for <freebsd-security@freebsd.org>; Wed,  2 Aug 2000 23:10:53 -0700 (PDT)
	(envelope-from andre.albsmeier@mchp.siemens.de)
X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer goliath.siemens.de)
Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11])
	by goliath.siemens.de (8.10.1/8.10.1) with ESMTP id e736Aoc08341;
	Thu, 3 Aug 2000 08:10:50 +0200 (MET DST)
Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7])
	by mail2.siemens.de (8.10.1/8.10.1) with ESMTP id e736Anl02151;
	Thu, 3 Aug 2000 08:10:49 +0200 (MET DST)
Received: (from localhost)
	by curry.mchp.siemens.de (8.10.2/8.10.2) id e736Ana46345;
Date: Thu, 3 Aug 2000 08:10:49 +0200
From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
To: airboss@bitstream.net
Cc: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>,
	freebsd-security@freebsd.org
Subject: Re: What will I lose if ssh is no more suid root?
Message-ID: <20000803081049.A2901@curry.mchp.siemens.de>
References: <20000803074228.A1682@curry.mchp.siemens.de> <Pine.LNX.4.20.0008030108130.607-100000@dmitri.bitstream.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.20.0008030108130.607-100000@dmitri.bitstream.net>; from airboss@bitstream.net on Thu, Aug 03, 2000 at 01:15:23AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 03-Aug-2000 at 01:15:23 -0500, airboss@bitstream.net wrote:
> On Thu, 3 Aug 2000, Andre Albsmeier wrote:
> 
> > As the subject says: What functionality will I lose when ssh
> > in 4.1-STABLE is not setuid root anymore?
> 
> The setuid SSH uses low ephemeral ports -- starting around 1000 for
> ordinary SSH, and at 950 or so for OpenSSH -- instead of the ordinary
> 1024-65535. Apparently, the intent is that one "proves" one's authenticity
> by binding to a low port. All this really proves (IMHO) is that you have a
> setuid binary on your machine ;).
> 
> Removing the setuid bit may (as stated by others) break rhosts
> authentication, but is otherwise harmless, AFAIK. There's plenty of
> comment on this subject on the OpenSSH mailing list.

Will look there, thanks for the hint.

	-Andre


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message