search for: ipport_reserved

On Fri, Jul 22, 2016 at 12:05:53PM +0200, Corinna Vinschen wrote: [...] > This version doesn't build on Cygwin anymore. The reason is that > various configure tests fail. > > The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac. Sigh. How about putting it in defines.h instead? includes.h includes netinet/in.h from whence the definition of IPPORT_RESERVED is, on Cygwin at least, seems to be protected against multiple inclusion. Putting it there means only one definition in a file that we don't...

FreeBSD doesn't have a fixed range of reserved ports, although it still has IPPORT_RESERVED for compatibility; instead, the last reserved port number is indicated by the net.inet.ip.portrange.reservedhigh sysctl, which defaults to IPPORT_RESERVED - 1. The attached patch modifies add_local_forward() to use this sysctl instead of IPPORT_RESERVED on FreeBSD. DES -- Dag-Erling Sm?rgrav - d...

...* programs. Of course, if the intruder has root access on his * local machine, he can connect from any port. So do not use these * authentication methods from machines that you do not trust. */ if (options.rhosts_authentication && (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2)) { debug("Rhosts Authentication disabled, " "originating port %d not trusted.", remote_port); options.rhosts_authentication = 0; } It looks to me like this overrides the config f...

Hi, I've sent that patch once already but it seems more or less forgotten in the tumultuous days of the latest vulnerability. It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined on platforms not supporting the concept of "privileged" ports only accessible by privileged users but which allow everyone to use these ports. This patch removes some Cygwin dependencies from the code. Otherwise, if this patch isn't applied, we definitel...

...#39;, please let me know! --- serverloop.c.original 2009-10-21 10:45:13.000000000 +0300 +++ serverloop.c 2009-10-21 10:53:09.000000000 +0300 @@ -1119,9 +1119,9 @@ if (!options.allow_tcp_forwarding || no_port_forwarding_flag || (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT - || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) + || (listen_port !=0 && listen_port < IPPORT_RESERVED && pw->pw_uid != 0) #endif ) { success = 0; packet_send_debug("Server has disabled port forwarding."); --...

...;& options.permit_root_login != PERMIT_YES) return 0; *** readconf.c.orig Mon Feb 04 20:26:35 2002 --- readconf.c Thu May 30 16:55:00 2002 *************** *** 200,206 **** u_short host_port) { Forward *fwd; ! #ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); --- 200,206 ---- u_short host_port) { Forward *fwd; ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) extern uid_t original_real_uid; if (port < IPPORT_RESERVED &&...

Hi, OpenSSH 5.3 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is

Hello all, It seems that RhostsAuthentication does not work on non-default port no matter what when connecting from OpenSSH (2.1.1, 2.2.0 tried) either with protocol 1 or protocol 2 (shouldn't work either..). _However_ when connecting with SSH.COM Ltd's ssh, RhostsAuthentication works just fine! Checking the port number of ssh client you can see that OpenSSH doesn't assign

...configure stuff entirely? > > Tested counterproposal: Looks reasonable. It's late here so I'm going to look at it tomorrow. > As for the comment preceeding the definition, I didn't change it from > your text in my proposal. However. > > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in > terms of the implementation of bindresvport_sa and rcmd. It's not just > backward compatibility. There are also applications out there which > still expect this value to make sense. Fair point. > The *real* problem here is that OpenSSH checks for u...

...ndresvport_sa() is within valid range openbsd-compat/bindresvport.c does not validate that the port provided in struct sockaddr * to bindresvport_sa() is within the valid range of intended reserved ports. If the port provided is non-zero, then that is taken as the starting port. For values >= IPPORT_RESERVED, it has the effect of attempting to bind() to that port (higher than the reserved port range) and then, if that port is in use, tries NPORTS-1 from STARTPORT. If all ports [STARTPORT,ENDPORT) are in use, ENDPORT is never tried. For non-zero values < STARTPORT, there are potentially many lower...

Hello, The ssh client checks for privileged ports when a local forward is about to be set. This is done in readconf.c's function "add_local_forward": ??? if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) ??? ??? fatal("Privileged ports can only be forwarded by root."); The constant IPPORT_RESERVED is system wide and fixed at make time. This test is not compatible with local and dynamic strategies such as authbind. I would like a non-privileged user (uid...

...an connect from any port. So do not use these * authentication methods from machines that you do not trust. + * + * If we're doing RSA host/other authentication we must have rhosts/RSA, + * but this is OK because we won't use rhosts authentication. */ if (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2) { *************** *** 983,988 **** --- 986,994 ---- options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; } + if ( options.rsa_host_other_authentication ) { + options.rhosts_rsa_authentication = 1; + } #ifdef KRB4...

...g Index: sshconnect.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v retrieving revision 1.53 diff -u -r1.53 sshconnect.c --- sshconnect.c 2000/01/18 09:42:17 1.53 +++ sshconnect.c 2000/02/15 10:18:18 @@ -150,7 +150,7 @@ int p = IPPORT_RESERVED - 1; sock = rresvport_af(&p, family); if (sock < 0) - fatal("rresvport: af=%d %.100s", family, strerror(errno)); + error("rresvport: af=%d %.100s", family, strerror(errno)); debug("Allocated local port %d.", p); } else { /*

...ted anywhere except possibly in the source to the ssh_create_socket function in sshconnect.c: /* * If we are running as root and want to connect to a privileged * port, bind our own socket to a privileged port. */ if (privileged) { int p = IPPORT_RESERVED - 1; sock = rresvport_af(&p, family); if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno) ); else debug("Allocated local port %d.", p); } else {...

...he reverse forwarded connections. I assume I will have to add a new check function in: serverloop.c:server_input_global_request at: /* check permissions */ if (!options.allow_tcp_forwarding || no_port_forwarding_flag || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { success = 0; packet_send_debug("Server has disabled port forwarding." I assumed I could implement a parallel mechanism to the -L port checking, but I am having trouble figuring out how restriction of the -L...

https://bugzilla.mindrot.org/show_bug.cgi?id=2625 Bug ID: 2625 Summary: Support Capabilities for ssh client port forwarding Product: Portable OpenSSH Version: 7.3p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs

[Mod: This message is a reason *why* linux-security is moderated list. This is also a reason why Rogier, myself, Alan Cox and others really do not want to have completely open lists that deal with security related aspects of running a system as way too many people just jump to conclusions and give suggestions without doing any reasearch on a subject. -- alex (co-moderator of

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

...#include "includes.h" RCSID("$OpenBSD: sshconnect.c,v 1.110 2001/07/25 14:35:18 markus Exp $"); -#include <openssl/bn.h> - #include "ssh.h" #include "xmalloc.h" #include "rsa.h" @@ -182,7 +180,12 @@ */ if (privileged) { int p = IPPORT_RESERVED - 1; +#if defined(SOCKS) +/* does not support IPV6 */ + sock = Rrresvport(&p); +#else /* SOCKS */ sock = rresvport_af(&p, family); +#endif /* SOCKS */ if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else @@ -326,7 +329,12 @@ * the r...

...#include "includes.h" RCSID("$OpenBSD: sshconnect.c,v 1.110 2001/07/25 14:35:18 markus Exp $"); -#include <openssl/bn.h> - #include "ssh.h" #include "xmalloc.h" #include "rsa.h" @@ -182,7 +180,12 @@ */ if (privileged) { int p = IPPORT_RESERVED - 1; +#if defined(SOCKS) +/* does not support IPV6 */ + sock = Rrresvport(&p); +#else /* SOCKS */ sock = rresvport_af(&p, family); +#endif /* SOCKS */ if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else @@ -326,7 +329,12 @@ * the r...