ssh(1) and privileged port

ssh(1) and privileged port

Post by t.. » Tue, 01 Feb 2000 04:00:00



Hello all,

I have ssh(1) setup at my work machine and home machine.
Currently I use only password authentication for connecting
to my work machine.
When I view the /var/log/messages, I notice that my ssh
connections are occuring at ports other than 22 (e.g. 1022,
1023). What is the significance/advantages/disadvantages
of using privileged ports over unpriviledged ports?
I am particularly interested in forwarding ports since I
connect through a low bandwidth link.
Thankx.

-Thas

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

ssh(1) and privileged port

Post by Todd Kelle » Fri, 11 Feb 2000 04:00:00


Ports 1 - 1024 are trusted ports so that means that a service can't be
run within
that range unless it's started as root (example: httpd starts as root
and switches
ownership to whatever user/group is stated in httpd.conf, normally
nobody/nobody).
This just means that while root runs the service, connections will be
above 1024.
Another example of this is with (again) http calls. The server itself
runs on port 80
(usually), and opens connections above 1024. While I don't exactly have
any
true expertise in this field like most others likely do, I do know that
you want root
owning and running the service so nobody else can just blow it away or
redo
configurations, etc...

Hope this helps some.

--Todd


> Hello all,

> I have ssh(1) setup at my work machine and home machine.
> Currently I use only password authentication for connecting
> to my work machine.
> When I view the /var/log/messages, I notice that my ssh
> connections are occuring at ports other than 22 (e.g. 1022,
> 1023). What is the significance/advantages/disadvantages
> of using privileged ports over unpriviledged ports?
> I am particularly interested in forwarding ports since I
> connect through a low bandwidth link.
> Thankx.

> -Thas

> Sent via Deja.com http://www.deja.com/
> Before you buy.


 
 
 

ssh(1) and privileged port

Post by John I Wan » Sat, 12 Feb 2000 04:00:00


Hello Thas

ssh was created as a replacement for rsh. The authentication for rsh
allowed for the concept of trusted hosts via the users ~/.rhosts file or
the system /etc/hosts.equiv file.

Basically, if the remote host was trusted then one could trust it's
authentication of the user and need not challenge for the password
again. This was very convenient for the execution of scripts so that one
need not include passwords in the script itself.

But what's to stop a user from writing their own rsh that just claims to
be someone else, well the trust is limited to if the source port is a
priviledged port, since only root processes can bind a priviledged port
then the rsh executable being executed on the remote side must've been
installed by root with the SUID bit. This is why both the rsh and ssh
executables have the SUID bit set.

Of course, this is all for naught now that the assumption that all
computers are controlled by trustworthy well paid system administrators
is no longer true, not that the assumption was ever really true.

Note that although the source port is often around the 1000 to 1023 mark
(for ssh, greater than 1023 for other apps), the destination port is
almost always 22 for ssh (23 for telnet, 20 and 21 for ftp etc.). Source
ports are chosen to spread the load out in the kernel whereas the
destination ports are where the daemon is expected to be listening.
Services like portmapper are there to negotiate selection of both source
and destination ports to spread out the load on both machines.

Regards,
John


> Hello all,

> I have ssh(1) setup at my work machine and home machine.
> Currently I use only password authentication for connecting
> to my work machine.
> When I view the /var/log/messages, I notice that my ssh
> connections are occuring at ports other than 22 (e.g. 1022,
> 1023). What is the significance/advantages/disadvantages
> of using privileged ports over unpriviledged ports?
> I am particularly interested in forwarding ports since I
> connect through a low bandwidth link.
> Thankx.

> -Thas

> Sent via Deja.com http://www.deja.com/
> Before you buy.

 
 
 

1. ssh tunnel to non-standard ssh port

I have an instance where I am wanting to connect to a remote server
which has ssh listening on a non-standard port (22170). I cannot
create a ssh tunnel without ssh also listening to port 22 or have no
port assigned -- I also have to open port 22 on my firewall.

Is there a way that I can create a ssh tunnel to a remote server which
has ssh listening on a non-standard port? Here is my tunnel command:


TIA
gmac63

2. Plug'n Play

3. privileged IDs and non-privileged IDs

4. Kensington Expert Mouse used to work. Now not. Why?

5. Matrox Mystique ands X.

6. telnet Problem to localhost under SUSE 7.2

7. port tunneling over ssh (not port-forwarding in the traditional sense)

8. ipchains masquerade problem

9. allow binding privileged port

10. Can Solaris mountd be configured to listen on a privileged port?

11. Extra Privileged ports

12. nfs mount using privileged port: how to?

13. Privileged ports and Solaris