From owner-freebsd-security  Mon Nov  2 00:19:53 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA00786
          for freebsd-security-outgoing; Mon, 2 Nov 1998 00:19:53 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from k6n1.znh.org (dialup21.gaffaneys.com [208.155.161.71])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA00751
          for <freebsd-security@FreeBSD.ORG>; Mon, 2 Nov 1998 00:19:36 -0800 (PST)
          (envelope-from zach@gaffaneys.com)
Received: (from zach@localhost)
	by k6n1.znh.org (8.9.1/8.9.1) id IAA05365;
	Mon, 2 Nov 1998 08:18:05 GMT
	(envelope-from zach)
Message-ID: <19981102021805.A5345@znh.org>
Date: Mon, 2 Nov 1998 02:18:05 -0600
From: Zach Heilig <zach@gaffaneys.com>
To: dima@best.net, "Jan B. Koum " <jkb@best.com>
Cc: peter.jeremy@auss2.alcatel.com.au, freebsd-security@FreeBSD.ORG,
        winter@jurai.net
Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass)
References: <19981101213817.A11911@best.com> <199811020647.WAA25893@burka.rdy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199811020647.WAA25893@burka.rdy.com>; from Dima Ruban on Sun, Nov 01, 1998 at 10:47:20PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Nov 01, 1998 at 10:47:20PM -0800, Dima Ruban wrote:
> Jan B. Koum  writes:
> > 	I have been using ssh this way for about a year and haven't
> > 	seen any. Then again - I am not doing anything fancy with ssh.
> > 	And no, I don't need to have ssh installed suid just to get
> > 	.rhost type authentication.

> Let me ask you this. Would you trust a packet that came from non-priviledged
> port and which wants to do something that even remotely should be secure?

There probably isn't much of a difference between priviledged and
non-priviledged ports anymore (if there ever was).  Specifically, any
connection coming from a < 1024 port (from an unknown host) is just as
untrustworthy as a connection from a >= 1024 port (from an unknown host).  If
the connection is from a known host, it's not much more trustworthy, due to
spoofing.

-- 
Zach Heilig <zach@gaffaneys.com>
If it looks like a duck, and quacks like a duck, we have to at least consider
the possibility that we have a small aquatic bird of the family Anatidę on
our hands (Douglas Adams -- Dirk Gently's Holistic Detective Agency)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message