Date: Mon, 2 Nov 1998 02:18:05 -0600 From: Zach Heilig <zach@gaffaneys.com> To: dima@best.net, "Jan B. Koum " <jkb@best.com> Cc: peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG, winter@jurai.net Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <19981102021805.A5345@znh.org> In-Reply-To: <199811020647.WAA25893@burka.rdy.com>; from Dima Ruban on Sun, Nov 01, 1998 at 10:47:20PM -0800 References: <19981101213817.A11911@best.com> <199811020647.WAA25893@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 01, 1998 at 10:47:20PM -0800, Dima Ruban wrote: > Jan B. Koum writes: > > I have been using ssh this way for about a year and haven't > > seen any. Then again - I am not doing anything fancy with ssh. > > And no, I don't need to have ssh installed suid just to get > > .rhost type authentication. > Let me ask you this. Would you trust a packet that came from non-priviledged > port and which wants to do something that even remotely should be secure? There probably isn't much of a difference between priviledged and non-priviledged ports anymore (if there ever was). Specifically, any connection coming from a < 1024 port (from an unknown host) is just as untrustworthy as a connection from a >= 1024 port (from an unknown host). If the connection is from a known host, it's not much more trustworthy, due to spoofing. -- Zach Heilig <zach@gaffaneys.com> If it looks like a duck, and quacks like a duck, we have to at least consider the possibility that we have a small aquatic bird of the family Anatidę on our hands (Douglas Adams -- Dirk Gently's Holistic Detective Agency) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981102021805.A5345>