Re: why is tunnel blocked for privileged ports?
From: Eloi Granado (eloi.granado_at_millorsoft.net)
Date: 01/08/04
- Previous message: Marius Huse Jacobsen: "Re: SFTP Issue"
- In reply to: Carlos Carvalho: "why is tunnel blocked for privileged ports?"
- Next in thread: Joe Smith: "Re: why is tunnel blocked for privileged ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: secureshell@securityfocus.com Date: Thu, 8 Jan 2004 09:46:24 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's on the ssh client manual:
- -L port:host:hostport
Specifies that the given port on the local (client) host is to
be forwarded to the given host and port on the remote side.
This works by allocating a socket to listen to port on the
local side, and whenever a connection is made to this port,
the connection is forwarded over the secure channel, and a
connection is made to host port hostport from the remote
machine. Port forwardings can also be specified in the
configuration file. Only root can forward privileged ports.
IPv6 addresses can be specified with an alternative syntax:
port/host/hostport
"Only root can forward privileged ports"
So, AFAIK, you have two options:
- - Edit the source, and do it for every security upgrade (I did it for
Apache, and it was a pain).
- - Use another thing.
About "the other thing", you may want to try stunnel (you'll have to use
client certificates instead of passwords).
Regards,
Eloi Granado
On Thursday 08 January 2004 05:43, Carlos Carvalho wrote:
> Hi folks,
>
> I'm trying to allow users have access to pop and smtp services via a
> ssh tunnel in ssh.com 3.2.3. I have this in sshd2_config:
>
> # AllowX11Forwarding yes
> AllowTcpForwarding yes
> ForwardACL deny remote .* .*
> ForwardACL allow local .* localhost%110
> ForwardACL allow local .* localhost%25
>
> Users usually connect via ssh.com's window client with the tunnel
> created with the following:
>
> Menu Edit -> Settings -> Profile Settings -> Tunneling -> Outgoing.
>
> Click Add. In "Display Name" put smtp. In "ListenPort" put 25. In
> "Destination Host" use fisica.ufpr.br, and for "Destination Port" use
> 25
>
> There's an analogous setting for pop3.
>
> However tunneling is being denied by sshd on the server because normal
> users are trying to tunnel to a privileged port. This restriction
> isn't mentioned in the manual but looking at the source we have this
> in sshchtcpfwd.c around line 1288:
>
> /* If user is not logged in as a privileged user, don't allow
> forwarding of privileged ports. */
> if (port < 1024)
> {
> if (ssh_user_uid(common->user_data))
> {
> ssh_warning("User \"%s\" not root, tried to forward privileged
> " "port %ld.", ssh_user_name(common->user_data), (unsigned long) port);
> SEND_FAILURE;
> }
>
> I don't understand the reason for this restriction. I thought a
> tunnel is equivalent to being logged in locally; if users have access
> to these ports why cannot they do it coming through ssh? In fact the
> only reason for configuring this on the system server is exactly to be
> able to reach these ports, otherwise users could install their own
> forwarders in other ports without administrator intervention.
>
> I'm probably missing something obvious... How can I do it?
- --
- -----------------------------------------------------
Eloi Granado (eloi@millorsoft.es)
PGP Key: http://eloi.millorsoft.es/pgp-publickey.asc
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE//Rjgewfs1FO2wi0RAhj1AKDK1IfOEIL0y7nCTVvMQo2ftImsEwCg7miY
IWLNBp+IVDGsLVMNp8PjpaA=
=tn70
-----END PGP SIGNATURE-----
- Previous message: Marius Huse Jacobsen: "Re: SFTP Issue"
- In reply to: Carlos Carvalho: "why is tunnel blocked for privileged ports?"
- Next in thread: Joe Smith: "Re: why is tunnel blocked for privileged ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
