From owner-freebsd-stable@FreeBSD.ORG  Mon Oct 12 09:45:24 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3D0381065697
	for <freebsd-stable@freebsd.org>; Mon, 12 Oct 2009 09:45:24 +0000 (UTC)
	(envelope-from daniel@roe.ch)
Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch
	[IPv6:2001:41e0:ff17:face::26])
	by mx1.freebsd.org (Postfix) with ESMTP id 98AD98FC1C
	for <freebsd-stable@freebsd.org>; Mon, 12 Oct 2009 09:45:23 +0000 (UTC)
Received: from roe (ssh-from [roe on  from])
	by calvin.ustdmz.roe.ch (envelope-from <daniel@roe.ch>)
	with LOCAL id 1MxHSx-0007n2-P2
	for freebsd-stable@FreeBSD.ORG; Mon, 12 Oct 2009 11:45:19 +0200
Date: Mon, 12 Oct 2009 11:45:19 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
To: freebsd-stable@FreeBSD.ORG
Message-ID: <20091012094519.GA29445@calvin.ustdmz.roe.ch>
Mail-Followup-To: freebsd-stable@FreeBSD.ORG
References: <200910081823.n98INRVZ082461@lurza.secnetix.de>
	<alpine.BSF.2.00.0910111552060.48605@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.BSF.2.00.0910111552060.48605@fledge.watson.org>
User-Agent: Mutt/1.4.2.3i
Cc: 
Subject: Re: openssh concerns
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2009 09:45:24 -0000

Robert Watson <rwatson@FreeBSD.org> 2009-10-11:
> On Thu, 8 Oct 2009, Oliver Fromme wrote:
> >Are you sure?  The majority of BSD machines in my vicinity
> >have multiple accounts.
> >
> >And even if there's only one account, there is no reason to be
> >careless with potential port-takeover risks.
> >
> >Therefore I advise against running critical daemons on
> >unprivileged ports, especially on machines with shell
> >accounts.  And if you need to bind to a port >= 1024, use
> >mac_portacl(4) to protect it.  It's easy to use.
> >Alternatively you can increase the value of the sysctl
> >net.inet.ip.portrange.reservedhigh, but this is less flexible
> >and might have unwanted side effects.
> 
> And, for those that haven't already noticed, "options MAC" is
> compiled into GENERIC on 8.0, so working with MAC policies no
> longer requires a recompile (or in many cases, even a reboot).

If your situation allows running pf, then there's an alternative
method: bind sshd normally to port 22, but use pf to deny direct
connections to port 22, redirecting connections to some high port
X to port 22 using a `rdr pass' rule.  You can even make
exceptions for trusted IP address ranges which are then allowed
to SSH in directly on port 22.  That way, an unprivileged process
will gain nothing by listening on high port X; it won't get to
accept() any SSH connections.

-- 
Daniel Roethlisberger
http://daniel.roe.ch/