Re: SSH LocalForward

Sevo Stille (sevo@inm.de)
Sun, 03 Aug 1997 01:03:25 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nicolas Dubee: "(no subject)"
Previous message: Matt: "Bugs in Debian Linux's ircd package"
Maybe in reply to: Kristof Van Damme: "SSH LocalForward"
Next in thread: Sevo Stille: "Re: SSH LocalForward"

> Von: Kristof Van Damme <aeneas@sesuadra.org>
>...
> I bumped into a weird 'feature' of ssh 1.2.20. When I run:
>...
> the port must be available). When I connect to it I get a normal
> redirection to remotehost:80 over the secure channel. This means however
> that a non-root user is able to open privileged ports on the localhost and
> redirect them. Is this normal? I checked it on Linux and Solaris.

>From a quick glance across the source, ssh rejects attempts to forward privileged
ports for non-root users while parsing the command line arguments - the config file
is read further down in the code, without performing a similar test. The immediate
fix is chmod -s (which will get rid of potential similar holes in ssh as well...) - the
more reasonable method is to move the check into add_local_forward():

--- readconf.c Sun Aug 3 00:55:40 1997
+++ readconf.c.orig Sun Aug 3 00:57:21 1997
@@ -204,11 +204,6 @@
Forward *fwd;
if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
- if (port < 1024 && original_real_uid != UID_ROOT)
- {
- fatal("Privileged ports can only be forwarded by root.\n");
- exit(1);
- }
fwd = &options->local_forwards[options->num_local_forwards++];
fwd->port = port;
fwd->host = xstrdup(host);

Sevo

Next message: Nicolas Dubee: "(no subject)"
Previous message: Matt: "Bugs in Debian Linux's ircd package"
Maybe in reply to: Kristof Van Damme: "SSH LocalForward"
Next in thread: Sevo Stille: "Re: SSH LocalForward"