From owner-freebsd-stable@FreeBSD.ORG Thu Oct 8 17:13:31 2009 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1714C1065672; Thu, 8 Oct 2009 17:13:31 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 722ED8FC12; Thu, 8 Oct 2009 17:13:30 +0000 (UTC) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n98HD1Sh079776; Thu, 8 Oct 2009 19:13:16 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n98HD0kj079775; Thu, 8 Oct 2009 19:13:00 +0200 (CEST) (envelope-from olli) Date: Thu, 8 Oct 2009 19:13:00 +0200 (CEST) Message-Id: <200910081713.n98HD0kj079775@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, db@danielbond.org, dougb@FreeBSD.ORG In-Reply-To: <460A3E92-37D5-49CA-A079-EC08867B8DD4@danielbond.org> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 08 Oct 2009 19:13:16 +0200 (CEST) Cc: Subject: Re: openssh concerns X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, db@danielbond.org, dougb@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 17:13:31 -0000 > Doug Barton wrote: > > Daniel Bond wrote: > > > However, I'm concerned about the suggestion of using an > > > unprivileged port > > > > Please explain your reasoning, and how it's relevant in a world where > > the vast majority of Internet users have complete administrative > > control over the systems they use. There are shell machines with lots of user accounts, none of which have administrative control of the system. In fact I'm running such a machine myself. Suppose there is a security hole in sshd that enables a DoS attack, i.e. some use is able to kill the sshd daemon. Or maybe the sshd daemon dies because of some other, unrelated reason. If it was running on an unprivileged, a normal user would now be able to start up his own (probably modified) sshd daemon on the very same port. He won't have the correct host key, of course, but I can tell you that many users ignore the warning and innocently type "yes" when asked whether to accept the fingerprint. "Probably the admin reinstalled something, this happened before, don't worry." If you run the sshd daemon on a privileged port < 1024 (or one protected by mac_portacl(4)), that security problem does not exist at all. Normal users can't start up a fake daemon on such a port if the real daemon dies. Even if there are no user accounts, it's not worth taking chances. It's always possible that there will be some hole in some silly, unrelated daemon that enables remote execution ... then you have a "user account" without knowing. Successful attacks are often the result of two or more unrelated holes, so it's definitely worth to plug every sinlge hole, even small ones that seem unimportant. Running a critical daemon like sshd in an unprivileged port is such a hole, in my opinion. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd