>In fact, I also recommed taking this step a little further. You can help
>to ensure that ssh is not used with 'rhosts' or 'RSA rhosts' authentication
>even if the setuid bit is set (or later reset), by configuring your router's
>ACLs to only accept ssh source ports of 1024 and above. Of course, this
>won't help connections that don't go through the routers, but it adds a
>little bit of extra protection and even flexibility. For example, in an
>environment with a medium internal trust level and low external trust level,
>it might be desirable to allow 'rhosts' and/or 'RSA rhosts' authentication
>internally and yet insure that this relaxed posture is not also a 'feature'
>to the outside world. You could leave the ssh setuid bit on and configure
>internal routers to accept ssh source ports of 1022 and above while
>configuring border routers to only accept ssh source ports of 1024 and above.
>You could then allow the more relaxed posture internally while not also
>relaxing your trust of the outside world OR prohibiting more secure 'RSA
>only' (augmented with S/Key, etc. if desired) ssh trafic from/to the outside
>world. This could be especially usefull in complex transitive trust
>environments.
Actually blocking ssh from ports lower than 1024 causes problems who use ssh
as root. When using ssh as root (non-setuid even) ssh uses a reserved port
still.
--
Bryan C. Andregg * <bandregg@redhat.com> * Red Hat Software
"Sure, to you she's just a set of intercorrelated coordinates.
What fun is that?" -- 'Experiment Zero', Man or Astroman?
"Donnie were much more 'user-friendly'. May be you selective
about friends:-)" -- Levente Farkas