Subject: Re: i386 IO access and chroot()
To: Michael Richardson <>
From: Andrew Brown <>
List: tech-security
Date: 07/16/2001 03:00:29
On Sat, Jul 14, 2001 at 11:36:28PM -0400, Michael Richardson wrote:
>    Greg> done the authentication, but that's a separate issue).  As I
>    Greg> understand the Unix security model in combination with the SSH
>    Greg> protocol this means that SSH must run as root on both ends and the
>    Greg> initial use of a TCP port less than 1024 is key to the web of trust
>  No. 
>  SSH can emulate "rhost" <1024 stuff if you insist. That is not the default.
>  You can permit RhostRSA to use RSA to authenticate hosts. That depends upon
>access to /etc/ssh_host_key, which is why ssh client is often setuid. This
>also is often not the default. (although setuid ssh has been the default in
>the past).

a suid ssh client gains you two modes of authentication which are sort
of similar, but not the same: RhostsAuthentication and
RhostsRSAAuthentication.  the former requires the client to be
connecting to the server from a "privileged" port and the latter
requires privileges on the client machine to read the file called (eg)
/etc/ssh_host_key.  i don't recall off the top of my head if the use
of a "privileged" port is required for this form of authentication to

>  Most use of ssh does not require any of this.


|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."