[Courses] [Security] Port forwarding with SSH

[Raven, corporate courtesan]

Heya --

Quoth Linda Laubenheimer (Tue, Mar 26, 2002 at 05:30:03PM -0800):
> > I've never seen port forwarding for ports under 1024 work when run
> > as a user -- you need to be root most of the time to open any port
> > under 1024.
> 
> Huh??  I port forward my POP mail and outgoing mail all the time, 
> with no root access.

	Doh -- I should have been a lot more clear there, sorry.  I've
not been able to open ports below 1024 that are accessible to things
outside the local machine when running as a user.  So, anything using
the -g option to turn the forwarding into a gateway, like in the example
for Jennyw's network, I've had to do as root.  I haven't tried to do -g
port forwarding as a user any time recently (in the last year or so).
So if it's now possible, I'm unaware of it.  Port forwarding on the
local machine only shouldn't need any special privileges.

	I don't have a system handy where I can try -g forwarding with a
low port; my home network is set up for it, though.  I'll try it without
being root the next time I'm at home, and let y'all know whether it
works.  I would think (enter speculation here) that whether it would
work depends on the userid of the process trying to open the port.  So
if it's the ssh daemon doing so, that usually runs as root, and it would
have the necessary privileges.  But if it's the ssh client (I believe
this to be the case, but it's a guess), that only has the permissions of
the user that invokes it, and jane-user normally cannot open those low
ports.

> ssh-agent??  is that for key based authentication??

	Yes.  Key-based authentication isn't nearly as hard as it
sounds.  Basically, ssh-agent loads your private keys upon request, and
then responds to authentication requests for you.  When you use key
authentication rather than password authentication, you'll be prompted
for the passphrase for your key, not the password on the remote system.
Ssh-agent stores your passphrase in memory (not in a disk file), and
uses that and the cached private keys to respond to authentication
requests on your behalf.  Ssh-agent exits when your session ends, so
that you don't have your authentication hanging around for the next
user.  And while it is possible to pull the passphrase out of memory,
it's a lot harder than attacking ssh most any other way, and requires a
significant level of access to the machine being attacked.

	I've been meaning to write up something on key-based
authentication anyway.  Incoming soonish.

Cheers,
Raven
 
"Incoming packet over rabbit. SYN."
"Incoming packet over duck. quACK!"
  -- me and Tiff, flinging stuffed animals and tech humor