Re: [TCLUG:18277] firewall question

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:18277] firewall question
From: Dan Debertin <danield@bitstream.net>
Date: Mon, 29 May 2000 00:30:59 -0500 (CDT)
In-Reply-To: <m3og5q6jeo.fsf@eggplant.mn.mtu.net>

Yes, this is correct. SSH1 binds to privileged source ports (1-1024) by
default. This is consistent with the SSH philosophy of "proving" your
trustworthiness by binding to a privileged port -- and as a result, you
will notice that, as only root has this privilege, your ssh binary is
likely installed setuid root. The security of this plan is arguable, which
is likely why they dispensed with it in SSH2.

Anyway, SSH1 usually picks source ports starting at 1000 for this; OpenSSH
starts a little lower at 950 IIRC. It then increments the source port for
every subsequent connection, provided no other service is bound to a given
port. You can either change your firewall rules to allow these ports, or
invoke ssh with the -P option to disable the use of a privileged source
port.



~Dan D.
Senior Systems Administrator
Bitstream Underground, LLC
danield@bitstream.net
(612)321-9290

References:
- firewall question
  - From: Jon Schewe <jpschewe@eggplant.mtu.net>

Prev by Date: firewall question
Next by Date: XFree86 4.0 RPMs?
Prev by thread: firewall question
Next by thread: RE: [TCLUG:18277] firewall question
Index(es):
- Date
- Thread