Hi, On Fri, Jul 06, 2018 at 05:54:24PM +1000, Darren Tucker wrote: > On 6 July 2018 at 17:24, Gert Doering <gert@xxxxxxxxxxxxxx>wrote: > [...] > > I think we have one customer connection where their firewall admin > > thinks "it is more secure that way" - read, we can't ssh in if we come > > from high ports. > > > > OTOH, thanks for the pointer with ProxyCommand - it's a very specific > > niche problem with a viable workaround, so I can't think of any > > remaining reason why we'd want suid ssh anymore ;-) > > There's another possibility: if you have a NAT-capable packet filter > in the path you might be able to remap the source ports using source > NAT. I think that'd be --to-source=1.2.3.4:800:1023 in iptables (not > sure about other systems, I didn't see an obvious way to do it with > PF). While feasible, I wouldn't actually want to do that. "If there needs to be something special in SSH for this particular customer, I want this to be visible in /etc/ssh/ssh_config". If I hide it in the network, nobody but me will understand why things are working, and I will eventually forget... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev