On 6 July 2018 at 17:24, Gert Doering <gert@xxxxxxxxxxxxxx>wrote: [...] > I think we have one customer connection where their firewall admin > thinks "it is more secure that way" - read, we can't ssh in if we come > from high ports. > > OTOH, thanks for the pointer with ProxyCommand - it's a very specific > niche problem with a viable workaround, so I can't think of any > remaining reason why we'd want suid ssh anymore ;-) There's another possibility: if you have a NAT-capable packet filter in the path you might be able to remap the source ports using source NAT. I think that'd be --to-source=1.2.3.4:800:1023 in iptables (not sure about other systems, I didn't see an obvious way to do it with PF). -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev