Has ANYONE been able to verify that Rhosts authentication works with 3.4.p1? Does it work with other SSHv2 implementations? Anybody tried it on a RedHat 7.3 system? Also, I'm curious about this code I found in sshd.c: /* * Check that the connection comes from a privileged port. * Rhosts-Authentication only makes sense from priviledged * programs. Of course, if the intruder has root access on his * local machine, he can connect from any port. So do not use these * authentication methods from machines that you do not trust. */ if (options.rhosts_authentication && (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2)) { debug("Rhosts Authentication disabled, " "originating port %d not trusted.", remote_port); options.rhosts_authentication = 0; } It looks to me like this overrides the config file without offering any way to override this policy. Also, I think this would cause compatability problems with the non-commercial F-Secure SSH-2.4.x client as it does not use privileged ports for root client connections. As a general rule I like to see security and authentication policy determined by config file and not by hard-coding it into the source. This code doesn't follow that paradigm. -Randy
Randy Zagar wrote:> > Has ANYONE been able to verify that Rhosts authentication works with > 3.4.p1? Does it work with other SSHv2 implementations? Anybody tried > it on a RedHat 7.3 system?Don't use rhosts authentication, use hostbased instead.> Also, I'm curious about this code I found in sshd.c: > > > /* > * Check that the connection comes from a privileged port. > * Rhosts-Authentication only makes sense from priviledged > * programs. Of course, if the intruder has root access on his > * local machine, he can connect from any port. So do not use these > * authentication methods from machines that you do not trust. > */ > if (options.rhosts_authentication && > (remote_port >= IPPORT_RESERVED || > remote_port < IPPORT_RESERVED / 2)) { > debug("Rhosts Authentication disabled, " > "originating port %d not trusted.", remote_port); > options.rhosts_authentication = 0; > } > > It looks to me like this overrides the config file without offering any > way to override this policy. Also, I think this would cause > compatability problems with the non-commercial F-Secure SSH-2.4.x client > as it does not use privileged ports for root client connections.>> As a general rule I like to see security and authentication policy > determined by config file and not by hard-coding it into the source. > This code doesn't follow that paradigmYou clearly don't understand rhosts "authentication". -d
On Wed, Oct 30, 2002 at 03:37:12PM -0600, Randy Zagar wrote:> if (options.rhosts_authentication && > (remote_port >= IPPORT_RESERVED || > remote_port < IPPORT_RESERVED / 2)) { > debug("Rhosts Authentication disabled, " > "originating port %d not trusted.", remote_port); > options.rhosts_authentication = 0; > }well sshd should not set options.rhosts_authentication to 0, but sshd should make sure rhosts_authentication fails, so setting options.rhosts_authentication = 0 works just fine.