IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: global and channel requests -- more information on failure, more flexibility on success
K S Braunsdorf <ksb%sa.fedex.com@localhost> writes:
> Well that brings up the issue of privileged ports. There are really
> a few cases the client might ask for:
> "give me any (unprivileged) port"
> "give me an explicit port numbered P"
> "give me a privileged port"
>
> We have 2 of those covered,
> 0 -> any unprivileged port
> P -> P
>
> But nothing in the requests I've seen allows "any privileged port",
> or am I behind the times?
Well, such a request could be allowed only if the client session is
authenticated as root (or else, the ports are in effect not privileged
anymore ;-). As it doesn't apply to ordinary user sessions, I don't
think such a feature would be terribly important.
> The obvious (work around) implementation is to scan all the
> privileged ports with requests -- really yucky,
The operation "give me a privileged port" is yucky, even if you could
do it with a single ssh request. The server would have to try binding
ports until it succeeds.
> and we don't really know the rules for "privileged ports" on a remote
> system.
I think "privileged ports" is a somewhat broken concept anyway, but it
isn't relative. The whole point of binding an unspecified privileged
port is to be able to convince remote peers that you are indeed
"privileged" in some way. Like with the .rhosts hack. This test is
based on the portnumber only. So the port range is the same on all
hosts, only the meaning of "privileged" varies.
Bottom line: I don't think a request for binding "any privileged port"
is very useful. Do you have any scenario where you'd like to use it?
Best regards,
/Niels
Home |
Main Index |
Thread Index |
Old Index