Darren Tucker
2018-Jul-06 07:54 UTC
Does anyone use UsePrivilegedPort=yes or setuid ssh(1) ?
On 6 July 2018 at 17:24, Gert Doering <gert at greenie.muc.de>wrote: [...]> I think we have one customer connection where their firewall admin > thinks "it is more secure that way" - read, we can't ssh in if we come > from high ports. > > OTOH, thanks for the pointer with ProxyCommand - it's a very specific > niche problem with a viable workaround, so I can't think of any > remaining reason why we'd want suid ssh anymore ;-)There's another possibility: if you have a NAT-capable packet filter in the path you might be able to remap the source ports using source NAT. I think that'd be --to-source=1.2.3.4:800:1023 in iptables (not sure about other systems, I didn't see an obvious way to do it with PF). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Gert Doering
2018-Jul-06 09:36 UTC
Does anyone use UsePrivilegedPort=yes or setuid ssh(1) ?
Hi, On Fri, Jul 06, 2018 at 05:54:24PM +1000, Darren Tucker wrote:> On 6 July 2018 at 17:24, Gert Doering <gert at greenie.muc.de>wrote: > [...] > > I think we have one customer connection where their firewall admin > > thinks "it is more secure that way" - read, we can't ssh in if we come > > from high ports. > > > > OTOH, thanks for the pointer with ProxyCommand - it's a very specific > > niche problem with a viable workaround, so I can't think of any > > remaining reason why we'd want suid ssh anymore ;-) > > There's another possibility: if you have a NAT-capable packet filter > in the path you might be able to remap the source ports using source > NAT. I think that'd be --to-source=1.2.3.4:800:1023 in iptables (not > sure about other systems, I didn't see an obvious way to do it with > PF).While feasible, I wouldn't actually want to do that. "If there needs to be something special in SSH for this particular customer, I want this to be visible in /etc/ssh/ssh_config". If I hide it in the network, nobody but me will understand why things are working, and I will eventually forget... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany gert at greenie.muc.de
Darren Tucker
2018-Jul-19 13:33 UTC
Does anyone use UsePrivilegedPort=yes or setuid ssh(1) ?
On 6 July 2018 at 19:36, Gert Doering <gert at greenie.muc.de> wrote: [working around it via NAT]> While feasible, I wouldn't actually want to do that. "If there needs to > be something special in SSH for this particular customer, I want this > to be visible in /etc/ssh/ssh_config".That's fair. It might be an appropriate solution for someone else. Anyway I have committed the deprecation of UsePrivilegedPort and removed the code to support ssh(1) being setuid so they'll be gone in 7.8. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.