Groups | Search | Server Info | Keyboard shortcuts | Login | Register
Groups > comp.unix.programmer > #17089
| From | cross@spitfire.i.gajendra.net (Dan Cross) |
|---|---|
| Newsgroups | comp.unix.programmer |
| Subject | Re: MacOS TCP port permissions |
| Date | 2026-04-17 22:56 +0000 |
| Organization | PANIX Public Access Internet and UNIX, NYC |
| Message-ID | <10rudri$19o$1@reader1.panix.com> (permalink) |
| References | <10rq7hc$1b1bt$1@dont-email.me> <10rtkrv$2ifdm$1@dont-email.me> <egwER.293175$4wI6.219945@fx24.iad> <87tst9s4v4.fsf@kst.eternal-september.org> |
In article <87tst9s4v4.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:
>scott@slp53.sl.home (Scott Lurndal) writes:
>> boltar@caprica.universe writes:
>[...]
>>>Oh FFS, the hacker server would use whatever keys the hacker wanted it to
>>>use. Do try and keep up.
>>
>> You don't seem to have an understanding of the session
>> establishment protocol used by ssh, or the context of the
>> thread you've butted into (context: the ability for a
>> non-privileged process to bind to ports below 1024).
>>
>> In that particular scenario, the non-privleged process
>> cannot read the host key. Yes, it can present a different
>> host key, which David pointed out may cause the client to
>> complain that the host key has been changed - a clear warning
>> to the user that the host he is attempting to log into may
>> have been compromised.
>[...]
>
>If I understand correctly, a non-root user can set up a server on a
>"privileged" port, but not if that port is already in use. If root
>is already has sshd listening on port 22, a non-root user won't
>be able to set up another server on the same port. (And an ssh
>server on a port other than 22 isn't going to be visible unless
>someone goes looking for it.)
>
>Which means, unless I'm missing something, that the warning about
>a changed host key is not likely to show up. (Unless the system
>doesn't have an ssh server -- but then how does the user get
>into it?)
The SSH protocol is conceptually layered into two parts: the
"SSH transport protocol", described in RFC4253, is the lower
layer protocol, and authenticates _hosts_ (see section 1 of the
RFC). A side-effect of the host authentication exchange is
the generation of a random ephemeral encryption key suitable for
use with a symmetric cipher.
This type of authentication is based on public key cryptography.
When SSH server software is installed onto a computer, part of
the initial configuration process is generating a public/private
key pair (the "host key") that is used in the host
authentication protocol; the public key is distributed widely,
while the private key is (as the name implies) private to the
server itself. One of the most basic mechanisms for securing
the host private key is ensuring that only the administrator can
read it.
User authentication is described in RFC4252 ("the Secure Shell
Authentication Protocol"). It is intended to be used over a
connection already host-authenticated and encrypted by the SSH
transport protocol.
You are correct that if an SSH server is already running and
bound to the well-known SSH server port (e.g., TCP port 22),
then some other programm cannot bind to that port (even if
running as root).
But suppose the SSH daemon is not running, and some random user
sets up an imposter server listening on that port. Since
unprivileged users can bind any port (including 22), they can do
so. But, since they presumably cannot read the file containing
the host private key, they lack the cryptographic key material
required to authenticate as the real server using the RFC4253
host authentication protocol. Clients will notice that and
fail to establish an SSH transport protocol connection, well
before user authentication is attempted, let alone a shell or
anything similar is executed.
>And even if there's no existing ssh server, a non-root sshd would
>only provide access to the user's account.
Not even. The client wouldn't be able to authenticate the
identity of the server _at all_, regardless of what user it was
running at.
>More plausibly, a non-root user could set up an ftp server.
Potentially they could, though most Unix-y systems store the
user's password hashed using some one-way algorithm that is not
easily invertible, and on top of that, only allow privileged
access to the hashed passwords. So they could set up an
imposter FTP service (who uses the insecure FTP protocol in this
day and age?!) and collect passwords the user enters, but they
could not necessarily validate that those passwords are actually
the user's real password.
- Dan C.
Back to comp.unix.programmer | Previous | Next — Previous in thread | Next in thread | Find similar
MacOS TCP port permissions boltar@caprica.universe - 2026-04-16 08:44 +0000
Re: MacOS TCP port permissions Geoff Clare <geoff@clare.See-My-Signature.invalid> - 2026-04-16 13:23 +0100
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-16 14:48 +0000
Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-16 20:29 +0100
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 10:31 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 14:04 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 14:41 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 15:20 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 15:50 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 16:09 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:28 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:06 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:26 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:48 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:52 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:56 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:59 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 16:12 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-19 09:02 +0000
Re: MacOS TCP port permissions scott@slp53.sl.home (Scott Lurndal) - 2026-04-18 15:56 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:58 +0000
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 00:05 +0100
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 00:01 +0100
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 23:50 +0000
Re: MacOS TCP port permissions scott@slp53.sl.home (Scott Lurndal) - 2026-04-17 19:56 +0000
Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-17 13:34 -0700
Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-17 22:53 +0100
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 22:56 +0000
Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-17 16:48 -0700
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 01:56 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:39 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:08 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:28 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:48 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:55 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:57 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-19 09:00 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-19 13:20 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 09:34 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-20 12:42 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 14:14 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-20 17:04 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:36 +0000
Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-18 17:54 -0700
Re: MacOS TCP port permissions baltar@caprica.prime - 2026-04-19 09:08 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-19 13:29 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 09:35 +0000
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 10:45 +0100
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 09:32 +0000
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-20 23:52 +0100
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-21 08:27 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:30 +0000
Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-17 20:09 +0100
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:32 +0000
Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-18 13:02 +0100
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 14:40 +0000
Re: MacOS TCP port permissions kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-18 15:14 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:29 +0000
Re: MacOS TCP port permissions kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-18 15:52 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:57 +0000
Re: MacOS TCP port permissions kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-18 15:59 +0000
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 00:24 +0100
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 23:53 +0000
Running sshd on another port does have merit - even if in theory it does not (Was: MacOS TCP port permissions) gazelle@shell.xmission.com (Kenny McCormack) - 2026-04-19 16:01 +0000
Re: Running sshd on another port does have merit - even if in theory it does not kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-19 16:28 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-19 09:03 +0000
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 10:26 +0100
Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-18 17:07 +0100
Re: MacOS TCP port permissions Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-04-18 22:36 +0000
Re: MacOS TCP port permissions Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-04-16 23:23 +0000
Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-16 16:34 -0700
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-17 01:00 +0100
Re: MacOS TCP port permissions Nicolas George <nicolas$george@salle-s.org> - 2026-04-17 07:12 +0000
Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-17 08:54 +0100
Re: MacOS TCP port permissions Nicolas George <nicolas$george@salle-s.org> - 2026-04-17 13:49 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 14:50 +0000
Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-18 09:22 +0100
Re: MacOS TCP port permissions scott@slp53.sl.home (Scott Lurndal) - 2026-04-18 15:55 +0000
Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 16:09 +0000
Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 10:31 +0000
Re: MacOS TCP port permissions Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-04-17 22:53 +0000
Goodbye, Privileged Ports! [was Re: MacOS TCP port permissions] cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 14:58 +0000
csiph-web