From Newsgroup: comp.unix.programmer

I've just discovered that the current version of MacOS I'm running (15.7.5) doesn't seem to enforce restricted TCP ports below 1024 and a process
without root permission seems to be able to open a listening socket on any
port it pleases. I'm using a standard user account without AFAIK any special priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar wrote:

I've just discovered that the current version of MacOS I'm running (15.7.5) doesn't seem to enforce restricted TCP ports below 1024 and a process
without root permission seems to be able to open a listening socket on any port it pleases. I'm using a standard user account without AFAIK any special priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

Apparently it changed in MacOS Mojave to match how iOS behaves.

See https://developer.apple.com/forums/thread/674179
--
Geoff Clare <netnews@gclare.org.uk>
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Thu, 16 Apr 2026 13:23:47 +0100
Geoff Clare <geoff@clare.See-My-Signature.invalid> gabbled:

boltar wrote:

I've just discovered that the current version of MacOS I'm running (15.7.5) >> doesn't seem to enforce restricted TCP ports below 1024 and a process
without root permission seems to be able to open a listening socket on any >> port it pleases. I'm using a standard user account without AFAIK any special

priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

Apparently it changed in MacOS Mojave to match how iOS behaves.

See https://developer.apple.com/forums/thread/674179

Cheers for that. Whoever "DTS Engineer" is he clearly doesn't understand the reasons the restriction was put in in the first place - ie that the services
on low ports are the real deal and not maybe some credential snatcher spun
up by a user. eg, running a hacked version of sshd on port 22.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

Geoff Clare <geoff@clare.See-My-Signature.invalid> gabbled:

boltar wrote:

I've just discovered that the current version of MacOS I'm running
(15.7.5) doesn't seem to enforce restricted TCP ports below 1024 and
a process without root permission seems to be able to open a
listening socket on any port it pleases. I'm using a standard user
account without AFAIK any special priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

Apparently it changed in MacOS Mojave to match how iOS behaves.

See https://developer.apple.com/forums/thread/674179

Cheers for that. Whoever "DTS Engineer" is he clearly doesn't
understand the reasons the restriction was put in in the first place -
ie that the services on low ports are the real deal and not maybe some credential snatcher spun up by a user. eg, running a hacked version of
sshd on port 22.

Aside from loopback, you never had that assurance anyway.

In the case of SSH, the defence is host key verification, not which port
it runs on.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Thu, 16 Apr 2026 14:48:08 -0000 (UTC), boltar wrote:

Whoever "DTS Engineer" is he clearly doesn't understand the reasons
the restriction was put in in the first place - ie that the services
on low ports are the real deal and not maybe some credential
snatcher spun up by a user. eg, running a hacked version of sshd on
port 22.

You really expect a remote client to trust a connection to some random
machine just because the destination port number is in some arbitrary rCLprivilegedrCY range?
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Lawrence DrCOOliveiro <ldo@nz.invalid> writes:

On Thu, 16 Apr 2026 14:48:08 -0000 (UTC), boltar wrote:

Whoever "DTS Engineer" is he clearly doesn't understand the reasons
the restriction was put in in the first place - ie that the services
on low ports are the real deal and not maybe some credential
snatcher spun up by a user. eg, running a hacked version of sshd on
port 22.

You really expect a remote client to trust a connection to some random machine just because the destination port number is in some arbitrary rCLprivilegedrCY range?

It probably made more sense in The Old Days, when most users had
accounts on multi-user machines they didn't own.

Today, most users are probably using machines they own or administer,
and have full root access.
--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-17, Lawrence DrCOOliveiro wrote:

On Thu, 16 Apr 2026 14:48:08 -0000 (UTC), boltar wrote:

Whoever "DTS Engineer" is he clearly doesn't understand the reasons
the restriction was put in in the first place - ie that the services
on low ports are the real deal and not maybe some credential
snatcher spun up by a user. eg, running a hacked version of sshd on
port 22.

You really expect a remote client to trust a connection to some random machine just because the destination port number is in some arbitrary rCLprivilegedrCY range?

Unless I'm overlooking something...: (and to be fair I should just go
get some sleep)

If the machine has several users and also runs some sort of service,
that client can perhaps have the expectation that a service running at
said machine in such a lower port will either be properly started as
intended by sysadmins, or not be running at all, as opposed to some
other non-privileged user possibly starting something that listens on
that port.
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Lawrence DrCOOliveiro , dans le message <10rrr1p$225jt$3@dont-email.me>, a
|-crit-a:

You really expect a remote client to trust a connection to some random machine just because the destination port number is in some arbitrary rCLprivilegedrCY range?

When rCLsome random machinerCY is a machine on the same network administered by the same time, it becomes a lot more reasonable to trust it. Even if it has untrusted users too.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Nicolas George <nicolas$george@salle-s.org> writes:

Lawrence DrCOOliveiro , dans le message <10rrr1p$225jt$3@dont-email.me>,
a |-crit-a:

You really expect a remote client to trust a connection to some random
machine just because the destination port number is in some arbitrary
rCLprivilegedrCY range?

When rCLsome random machinerCY is a machine on the same network
administered by the same time, it becomes a lot more reasonable to
trust it. Even if it has untrusted users too.

That only works in specific niches.

* macOS is not the first OS to discard the rCyprivileged portrCO concept;
Windows never had it. You always needed a Unix-only network for the
assumptions about privileged ports being somehow more trustworthy to
hold up.

* If an attacker gets access to your network then they can (almost
certainly) impersonate any device on it at the TCP/IP level, again
violating the assumption about privileged ports being more
trustworthy.

Again, the solution to the problem of impersonation of services is cryptographic authentication. The technology has been established for
decades and is very widely deployed (TLS, SSH, etc).
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Thu, 16 Apr 2026 20:29:37 +0100
Richard Kettlewell <invalid@invalid.invalid> gabbled:

boltar@caprica.universe writes:

Geoff Clare <geoff@clare.See-My-Signature.invalid> gabbled:

boltar wrote:

I've just discovered that the current version of MacOS I'm running
(15.7.5) doesn't seem to enforce restricted TCP ports below 1024 and
a process without root permission seems to be able to open a
listening socket on any port it pleases. I'm using a standard user
account without AFAIK any special priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

Apparently it changed in MacOS Mojave to match how iOS behaves.

See https://developer.apple.com/forums/thread/674179

Cheers for that. Whoever "DTS Engineer" is he clearly doesn't
understand the reasons the restriction was put in in the first place -
ie that the services on low ports are the real deal and not maybe some
credential snatcher spun up by a user. eg, running a hacked version of
sshd on port 22.

Aside from loopback, you never had that assurance anyway.

In the case of SSH, the defence is host key verification, not which port
it runs on.

A hacked version of ssh could save or forward everything it receives.
Crypto is only useful outside of the process, inside its irrelevant.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Thu, 16 Apr 2026 23:23:37 -0000 (UTC)
Lawrence =?iso-8859-13?q?D=FFOliveiro?= <ldo@nz.invalid> gabbled:

On Thu, 16 Apr 2026 14:48:08 -0000 (UTC), boltar wrote:

Whoever "DTS Engineer" is he clearly doesn't understand the reasons
the restriction was put in in the first place - ie that the services
on low ports are the real deal and not maybe some credential
snatcher spun up by a user. eg, running a hacked version of sshd on
port 22.

You really expect a remote client to trust a connection to some random >machine just because the destination port number is in some arbitrary >rCLprivilegedrCY range?

On a corporate LAN, yes.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Richard Kettlewell , dans le message
<wwvfr4uuimd.fsf@LkoBDZeT.terraraq.uk>, a |-crit-a:

That only works in specific niches.

* macOS is not the first OS to discard the rCyprivileged portrCO concept;
Windows never had it.

Only idiots run servers on these systems anyway.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Thu, 16 Apr 2026 20:29:37 +0100

Richard Kettlewell <invalid@invalid.invalid> gabbled: >>boltar@caprica.universe writes:

Geoff Clare <geoff@clare.See-My-Signature.invalid> gabbled:

boltar wrote:

I've just discovered that the current version of MacOS I'm running
(15.7.5) doesn't seem to enforce restricted TCP ports below 1024 and >>>>> a process without root permission seems to be able to open a
listening socket on any port it pleases. I'm using a standard user
account without AFAIK any special priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

Apparently it changed in MacOS Mojave to match how iOS behaves.

See https://developer.apple.com/forums/thread/674179

Cheers for that. Whoever "DTS Engineer" is he clearly doesn't
understand the reasons the restriction was put in in the first place -
ie that the services on low ports are the real deal and not maybe some
credential snatcher spun up by a user. eg, running a hacked version of
sshd on port 22.

Aside from loopback, you never had that assurance anyway.

In the case of SSH, the defence is host key verification, not which port
it runs on.

A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it
cannot prove to clients that it is the real SSH server (and
users wisely refrain from further interactions with it when
their SSH client spits out an error telling them this).

Crypto is only useful outside of the process, inside its irrelevant.

"Crypto" in this case is about authentication, not just privacy.
Part of the SSH protocol is mutually authenticating both the
client _and_ the server using a cryptographically secured key
exchange.

There is an argument that this is irrelevant for a user who has
never connected to that host before, and hence does not know
what the host key _should_ be. That's a valid point, but this
is not new: it has been known since SSH first arrived on the
scene decades ago. The solution has generally been to publish
the host public key widely.

But running the server as "root" doesn't solve that problem, if
"root" on the destination machine has been compromised.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 14:04:20 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Thu, 16 Apr 2026 20:29:37 +0100

A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

Crypto is only useful outside of the process, inside its irrelevant.

"Crypto" in this case is about authentication, not just privacy.
Part of the SSH protocol is mutually authenticating both the
client _and_ the server using a cryptographically secured key
exchange.

Irrelevant. A hacked ssh server could do anything the hacker wants with the decrypted data. You do realise the data has to be decrypted by ssh in order to do anything with it, right? Or did you think it passed the encrypted stream direct to bash?

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <69e23a5a$0$992$426a74cc@news.free.fr>,
Nicolas George <nicolas$george@salle-s.org> wrote:

Richard Kettlewell , dans le message
<wwvfr4uuimd.fsf@LkoBDZeT.terraraq.uk>, a |-crit-a:

That only works in specific niches.

* macOS is not the first OS to discard the rCyprivileged portrCO concept;
Windows never had it.

Only idiots run servers on these systems anyway.

What a ridiculously simplistic take.

Consider a corporate network with central administration of e.g.
Mac and Windows workstations: you know, the kind of network that
people use to actually get stuff done.

Those workstations almost certainly run some kind of service
agent that provides the interface for participating in the
management system: providing telemetry, updating software; all
that kind of thing. This obviously implies running some kind
of "server" on those systerms.

Cryptographically authenticating those servers is far, far more
secure than relying on some notion of privileged "port". And
once all of your services are using strong authentication, what
is the value of restricting access to ports based on their
number?

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10rqsr8$1bra1$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Thu, 16 Apr 2026 13:23:47 +0100

Geoff Clare <geoff@clare.See-My-Signature.invalid> gabbled:

boltar wrote:

I've just discovered that the current version of MacOS I'm running (15.7.5) >>> doesn't seem to enforce restricted TCP ports below 1024 and a process
without root permission seems to be able to open a listening socket on any >>> port it pleases. I'm using a standard user account without AFAIK any special

priviledges given to it.

Perhaps MacOS never enforced this, anyone know?

Apparently it changed in MacOS Mojave to match how iOS behaves.

See https://developer.apple.com/forums/thread/674179

Cheers for that. Whoever "DTS Engineer" is he clearly doesn't understand the >reasons the restriction was put in in the first place - ie that the services >on low ports are the real deal and not maybe some credential snatcher spun
up by a user. eg, running a hacked version of sshd on port 22.

You're right.

That engineer probably never had to deal with computationally
expensive cryptographic code on a slow VAX-11 computer with
performance masured at less than one million instructions per
second and RAM in the single-digit megabytes, running an
operating system designed for unnetworked timesharing on a
single machine, with no useful data that would let them securely
authenticate users across an untrusted network (let alone
provide mutual authentication of the server!), all while the
system was loaded down with 20 interactive timesharing users all
trying to do real work.

Well, having dealt with that myself, all I can say is, thank
goodness those days ended in the mid-1980s!

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10rtgq7$2h4os$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Fri, 17 Apr 2026 14:04:20 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Thu, 16 Apr 2026 20:29:37 +0100

A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

...because the file containing the host private key is owned by
root, and not the user? And the client has a cached copy of the
host public key locally whent hey connect?

Unless the attacker is already running as root, in which case,
they could just bind to a low port anyway.

Crypto is only useful outside of the process, inside its irrelevant.

"Crypto" in this case is about authentication, not just privacy.
Part of the SSH protocol is mutually authenticating both the
client _and_ the server using a cryptographically secured key
exchange.

Irrelevant. A hacked ssh server could do anything the hacker wants with the >decrypted data.

What decrypted data? Authentication of the incoming connection
happens when the connection is established, before a session is
initiated, and thus before any data is exchanged, let alone
"decrypted", and before anything is "run" on the server.

If authentication fails, "bash" (which is not the only shell
people use) is never invoked.

You do realise the data has to be decrypted by ssh in order to
do anything with it, right?

It sounds like you might not have a good handle on how the
session is established, and in particular, how it is
authenticated.

Or did you think it passed the encrypted stream
direct to bash?

Passing a stream of encrypted data to bash is likely to produce
nonsense.

- Dan C

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtgq7$2h4os$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Fri, 17 Apr 2026 14:04:20 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

....because the file containing the host private key is owned by
root, and not the user? And the client has a cached copy of the
host public key locally whent hey connect?

Oh FFS, the hacker server would use whatever keys the hacker wanted it to
use. Do try and keep up.

Irrelevant. A hacked ssh server could do anything the hacker wants with the >>decrypted data.

What decrypted data? Authentication of the incoming connection

*plonk*

I honestly can't be bothered.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtgq7$2h4os$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 14:04:20 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

....because the file containing the host private key is owned by
root, and not the user? And the client has a cached copy of the
host public key locally whent hey connect?

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >use. Do try and keep up.

...and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Irrelevant. A hacked ssh server could do anything the hacker wants with the >>>decrypted data.

What decrypted data? Authentication of the incoming connection

*plonk*

Probably for the best.

I honestly can't be bothered.

Yes. You clearly, obviously, can't be bothered to understand
even the most rudimentary concepts around how public key
authentication works. Like, at all.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

<boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

Non-root users canrCOt read the legitimate host key:

$ ls -l /etc/ssh/ssh_host_ed25519_key
-rw------- 1 root root 399 Dec 10 2017 /etc/ssh/ssh_host_ed25519_key
$ cat /etc/ssh/ssh_host_ed25519_key
cat: /etc/ssh/ssh_host_ed25519_key: Permission denied

If a malicious non-root user creates their own host key then clients
will refuse to talk to their SSH server. For example OpenSSH display an
error like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:+Mcf1WuwKOE+5Nr6XFc10mmnQisAJ8SQkn72FdVpWjA.
Please contact your system administrator.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtgq7$2h4os$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 14:04:20 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

....because the file containing the host private key is owned by
root, and not the user? And the client has a cached copy of the
host public key locally whent hey connect?

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >use. Do try and keep up.

You don't seem to have an understanding of the session
establishment protocol used by ssh, or the context of the
thread you've butted into (context: the ability for a
non-privileged process to bind to ports below 1024).

In that particular scenario, the non-privleged process
cannot read the host key. Yes, it can present a different
host key, which David pointed out may cause the client to
complain that the host key has been changed - a clear warning
to the user that the host he is attempting to log into may
have been compromised.

*plonk*

I honestly can't be bothered.

Yeah, it's hard for you to coherently argue about topic you
seem to know very little about.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

scott@slp53.sl.home (Scott Lurndal) writes:

boltar@caprica.universe writes:

[...]

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>use. Do try and keep up.

You don't seem to have an understanding of the session
establishment protocol used by ssh, or the context of the
thread you've butted into (context: the ability for a
non-privileged process to bind to ports below 1024).

In that particular scenario, the non-privleged process
cannot read the host key. Yes, it can present a different
host key, which David pointed out may cause the client to
complain that the host key has been changed - a clear warning
to the user that the host he is attempting to log into may
have been compromised.

[...]

If I understand correctly, a non-root user can set up a server on a "privileged" port, but not if that port is already in use. If root
is already has sshd listening on port 22, a non-root user won't
be able to set up another server on the same port. (And an ssh
server on a port other than 22 isn't going to be visible unless
someone goes looking for it.)

Which means, unless I'm missing something, that the warning about
a changed host key is not likely to show up. (Unless the system
doesn't have an ssh server -- but then how does the user get
into it?)

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

More plausibly, a non-root user could set up an ftp server.
--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:

If I understand correctly, a non-root user can set up a server on a "privileged" port, but not if that port is already in use. If root is already has sshd listening on port 22, a non-root user won't be able
to set up another server on the same port. (And an ssh server on a
port other than 22 isn't going to be visible unless someone goes
looking for it.)

Yes.

Which means, unless I'm missing something, that the warning about
a changed host key is not likely to show up.

However things end up with a bogus server running, in the end thererCOs
just two possibilities: either the client already knows legitimate a
host key for the server, or it doesnrCOt. In the former case the client presents its user with a message about the host key changing; in the
latter case it presents its user with the host key hash to confirm. For example, with OpenSSH:

The authenticity of host 'hostname (192.168.0.1)' can't be established.
ECDSA key fingerprint is SHA256:KkkvOHG9x/ytdyQybQeTepWeTbQ1m3aNH8yFajCMMW4.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

ThererCOs no situation where a session is just established with an unknown
host key and zero user intervention.

(Unless the system doesn't have an ssh server -- but then how does the
user get into it?)

We started out talking about Macs, in which case, probably physical
access. But theyrCOre almost all personal systems so the single legitimate
user is the administrator anyway.

Other options are remote desktop, VNC, a serial port, or exploiting an
RCE vulnerability.

And even if there's no existing ssh server, a non-root sshd would only provide access to the user's account.

The attack is that the substitute SSH server simulates a legitimate
session and captures any credentials the end user enters. Success is
most likely if the user uses password authentication (and probably quite unlikely otherwise, unless the attacker knows a lot about the userrCOs expectations).
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 10:31:52 -0000 (UTC), boltar wrote:

On Thu, 16 Apr 2026 23:23:37 -0000 (UTC), Lawrence DrCOOliveiro wrote:

You really expect a remote client to trust a connection to some
random machine just because the destination port number is in some
arbitrary rCLprivilegedrCY range?

On a corporate LAN, yes.

Unless the LAN is very small, that doesnrCOt seem wise ...
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <87tst9s4v4.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:

scott@slp53.sl.home (Scott Lurndal) writes:

boltar@caprica.universe writes:

[...]

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>use. Do try and keep up.

You don't seem to have an understanding of the session
establishment protocol used by ssh, or the context of the
thread you've butted into (context: the ability for a
non-privileged process to bind to ports below 1024).

In that particular scenario, the non-privleged process
cannot read the host key. Yes, it can present a different
host key, which David pointed out may cause the client to
complain that the host key has been changed - a clear warning
to the user that the host he is attempting to log into may
have been compromised.

[...]

If I understand correctly, a non-root user can set up a server on a >"privileged" port, but not if that port is already in use. If root
is already has sshd listening on port 22, a non-root user won't
be able to set up another server on the same port. (And an ssh
server on a port other than 22 isn't going to be visible unless
someone goes looking for it.)

Which means, unless I'm missing something, that the warning about
a changed host key is not likely to show up. (Unless the system
doesn't have an ssh server -- but then how does the user get
into it?)

The SSH protocol is conceptually layered into two parts: the
"SSH transport protocol", described in RFC4253, is the lower
layer protocol, and authenticates _hosts_ (see section 1 of the
RFC). A side-effect of the host authentication exchange is
the generation of a random ephemeral encryption key suitable for
use with a symmetric cipher.

This type of authentication is based on public key cryptography.
When SSH server software is installed onto a computer, part of
the initial configuration process is generating a public/private
key pair (the "host key") that is used in the host
authentication protocol; the public key is distributed widely,
while the private key is (as the name implies) private to the
server itself. One of the most basic mechanisms for securing
the host private key is ensuring that only the administrator can
read it.

User authentication is described in RFC4252 ("the Secure Shell
Authentication Protocol"). It is intended to be used over a
connection already host-authenticated and encrypted by the SSH
transport protocol.

You are correct that if an SSH server is already running and
bound to the well-known SSH server port (e.g., TCP port 22),
then some other programm cannot bind to that port (even if
running as root).

But suppose the SSH daemon is not running, and some random user
sets up an imposter server listening on that port. Since
unprivileged users can bind any port (including 22), they can do
so. But, since they presumably cannot read the file containing
the host private key, they lack the cryptographic key material
required to authenticate as the real server using the RFC4253
host authentication protocol. Clients will notice that and
fail to establish an SSH transport protocol connection, well
before user authentication is attempted, let alone a shell or
anything similar is executed.

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

Not even. The client wouldn't be able to authenticate the
identity of the server _at all_, regardless of what user it was
running at.

More plausibly, a non-root user could set up an ftp server.

Potentially they could, though most Unix-y systems store the
user's password hashed using some one-way algorithm that is not
easily invertible, and on top of that, only allow privileged
access to the hashed passwords. So they could set up an
imposter FTP service (who uses the insecure FTP protocol in this
day and age?!) and collect passwords the user enters, but they
could not necessarily validate that those passwords are actually
the user's real password.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

cross@spitfire.i.gajendra.net (Dan Cross) writes:
[...]

But suppose the SSH daemon is not running, and some random user
sets up an imposter server listening on that port. Since
unprivileged users can bind any port (including 22), they can do
so. But, since they presumably cannot read the file containing
the host private key, they lack the cryptographic key material
required to authenticate as the real server using the RFC4253
host authentication protocol. Clients will notice that and
fail to establish an SSH transport protocol connection, well
before user authentication is attempted, let alone a shell or
anything similar is executed.

And *some* users will see the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" message and blindly add the new key to their known_hosts file.

[...]
--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <87cxzxrvvl.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote: >cross@spitfire.i.gajendra.net (Dan Cross) writes:

[...]

But suppose the SSH daemon is not running, and some random user
sets up an imposter server listening on that port. Since
unprivileged users can bind any port (including 22), they can do
so. But, since they presumably cannot read the file containing
the host private key, they lack the cryptographic key material
required to authenticate as the real server using the RFC4253
host authentication protocol. Clients will notice that and
fail to establish an SSH transport protocol connection, well
before user authentication is attempted, let alone a shell or
anything similar is executed.

And *some* users will see the "WARNING: REMOTE HOST IDENTIFICATION HAS >CHANGED!" message and blindly add the new key to their known_hosts file.

*shrug* People will do all sorts of ill-advised things. You can
lead a horse to water, but cannot make it drink.

Here's a scenario in which the whole "reserved ports" thing does
not help. Consider cases where the `ssh` daemon would not be
running. One such case might be when the server is down for
maintenance. Here, a malicious actor might put a different
machine that they control onto the network, and configure it
with the MAC and IP addresses of the target server; they then
start whatever ssh daemon they like, as root: which they can do
since it's their machine.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-17, Nicolas George wrote:

Richard Kettlewell , dans le message
<wwvfr4uuimd.fsf@LkoBDZeT.terraraq.uk>, a |-crit-a:

That only works in specific niches.

* macOS is not the first OS to discard the rCyprivileged portrCO concept;
Windows never had it.

Only idiots run servers on these systems anyway.

I feel targeted, given that in one of the few occasions where I used
macOS, I did start an X server to run a tiling WM in :-P
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people logging in.

I honestly can't be bothered.

Yes. You clearly, obviously, can't be bothered to understand
even the most rudimentary concepts around how public key
authentication works. Like, at all.

And you apparently have no idea that if someone has the source code to a program they can make it do and behave whatever and however they want.
I suggest you stick to sys admin and leave the dev discussions to people
who have a clue.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 19:56:58 GMT
scott@slp53.sl.home (Scott Lurndal) gabbled:

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtgq7$2h4os$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Fri, 17 Apr 2026 14:04:20 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rt267$1eh57$1@dont-email.me>, <boltar@caprica.universe> >wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it receives. >>>>>

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

....because the file containing the host private key is owned by
root, and not the user? And the client has a cached copy of the
host public key locally whent hey connect?

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>use. Do try and keep up.

You don't seem to have an understanding of the session
establishment protocol used by ssh, or the context of the
thread you've butted into (context: the ability for a
non-privileged process to bind to ports below 1024).

Ah the irony :) I started the thread you idiot. Not worth reading anything
else you wrote if you can't even get that correct.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 20:09:32 +0100
Richard Kettlewell <invalid@invalid.invalid> gabbled:

boltar@caprica.universe writes:

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

<boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole thing?

Non-root users canrCOt read the legitimate host key:

Why would the hacked server need to?

$ ls -l /etc/ssh/ssh_host_ed25519_key
-rw------- 1 root root 399 Dec 10 2017 /etc/ssh/ssh_host_ed25519_key
$ cat /etc/ssh/ssh_host_ed25519_key
cat: /etc/ssh/ssh_host_ed25519_key: Permission denied

If a malicious non-root user creates their own host key then clients
will refuse to talk to their SSH server. For example OpenSSH display an
error like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

How can it have changed if the only sshd running was the one the hacker
set up?


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 13:34:39 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled:

scott@slp53.sl.home (Scott Lurndal) writes:
If I understand correctly, a non-root user can set up a server on a >"privileged" port, but not if that port is already in use. If root

Yes, thats kind of how TCP works. Would be a bit tricky having 2 programs
on the same port.

Which means, unless I'm missing something, that the warning about
a changed host key is not likely to show up. (Unless the system
doesn't have an ssh server -- but then how does the user get
into it?)

Console.

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

That would be main downside, not the handwaving guff about certificates
that others have come up with.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Fri, 17 Apr 2026 22:56:50 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <87tst9s4v4.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

Not even. The client wouldn't be able to authenticate the
identity of the server _at all_, regardless of what user it was
running at.

And why's that? Do give us the benefit of your wisdom.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

Richard Kettlewell <invalid@invalid.invalid> gabbled:

boltar@caprica.universe writes:

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

<boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it
receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole
thing?

Non-root users canrCOt read the legitimate host key:

Why would the hacked server need to?

The point is that your hacked server is not going to be using the
legitimate host key.

If a malicious non-root user creates their own host key then clients
will refuse to talk to their SSH server. For example OpenSSH display an
error like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

How can it have changed if the only sshd running was the one the hacker
set up?

Largely already discussed in <wwvo6jh1cfw.fsf@LkoBDZeT.terraraq.uk>, but
in brief, if the client doesnrCOt already trust the key then the user gets
told that the key is unknown, and if it does then the user has at some
point in the past chosen to trust that key (or a CA that signed it).
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 13:02:44 +0100
Richard Kettlewell <invalid@invalid.invalid> gabbled:

boltar@caprica.universe writes:

Richard Kettlewell <invalid@invalid.invalid> gabbled: >>>boltar@caprica.universe writes:

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

<boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it
receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole
thing?

Non-root users canrCOt read the legitimate host key:

Why would the hacked server need to?

The point is that your hacked server is not going to be using the
legitimate host key.

And why would there be a legitimate host key in the first place? You're assuming there was a legitimate version of sshd running there beforehand
which clients had connected to.

How can it have changed if the only sshd running was the one the hacker
set up?

Largely already discussed in <wwvo6jh1cfw.fsf@LkoBDZeT.terraraq.uk>, but
in brief, if the client doesnrCOt already trust the key then the user gets >told that the key is unknown, and if it does then the user has at some
point in the past chosen to trust that key (or a CA that signed it).

Yes, we all know this. And? No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10rvmcd$1hiok$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people >logging in.

Wow, you really don't get it.

I honestly can't be bothered.

Yes. You clearly, obviously, can't be bothered to understand
even the most rudimentary concepts around how public key
authentication works. Like, at all.

And you apparently have no idea that if someone has the source code to a >program they can make it do and behave whatever and however they want.
I suggest you stick to sys admin and leave the dev discussions to people
who have a clue.

Lol. I'm not a sysadmin.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10rvn05$355fj$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Fri, 17 Apr 2026 22:56:50 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <87tst9s4v4.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

Not even. The client wouldn't be able to authenticate the
identity of the server _at all_, regardless of what user it was
running at.

And why's that? Do give us the benefit of your wisdom.

I already explained it. You didn't understand it. I see no
reason to believe that explaining it again would enlighten you,
as you seem to revel in deliberate ignorance.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe wrote:

[...] No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.

Not really true. Some people are more cautious than that.

Anyway, lots has been said in this thread, but I suppose
nobody has mentioned that running sshd on port > 1024
is pretty common nowadays.

I know that my hosting provider runs sshd on port 5757.

It is probably to buy some time in case there is a
serious sshd vulnerability. The port scanners would
usually scan the port 22 and my hosting provider might
have enough time to patch their sshd.

br,
KK

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:06:24 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rvmcd$1hiok$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people >>logging in.

Wow, you really don't get it.

What, that people ignore warnings?

And you apparently have no idea that if someone has the source code to a >>program they can make it do and behave whatever and however they want.
I suggest you stick to sys admin and leave the dev discussions to people >>who have a clue.

Lol. I'm not a sysadmin.

Stick to cleaning the floors then because you apparently have no idea about modifying code.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:08:03 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rvn05$355fj$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Fri, 17 Apr 2026 22:56:50 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <87tst9s4v4.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

Not even. The client wouldn't be able to authenticate the
identity of the server _at all_, regardless of what user it was
running at.

And why's that? Do give us the benefit of your wisdom.

I already explained it. You didn't understand it. I see no

No you haven't. At all.

reason to believe that explaining it again would enlighten you,
as you seem to revel in deliberate ignorance.

The only ignorant person is you who seems to think an ssh client wouldn't connect to a modified sshd not running as root because [reasons].

Please give those reasons or go find something more useful to do.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:14:38 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

[...] No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.

Not really true. Some people are more cautious than that.

Pfft, yeah, right.

Anyway, lots has been said in this thread, but I suppose
nobody has mentioned that running sshd on port > 1024
is pretty common nowadays.

Security by obscurity never works. A port scanner would find it in minutes.


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s07ro$3a575$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sat, 18 Apr 2026 15:06:24 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rvmcd$1hiok$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people >>>logging in.

Wow, you really don't get it.

What, that people ignore warnings?

And you apparently have no idea that if someone has the source code to a >>>program they can make it do and behave whatever and however they want.
I suggest you stick to sys admin and leave the dev discussions to people >>>who have a clue.

Lol. I'm not a sysadmin.

Stick to cleaning the floors then because you apparently have no idea about >modifying code.

Hey, I'm not the one who doesn't understand how SSH works, Mr
Anonymous Internet Rando Guy.

- Dan C.


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s07uq$3a63c$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sat, 18 Apr 2026 15:08:03 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rvn05$355fj$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 22:56:50 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <87tst9s4v4.fsf@kst.eternal-september.org>,
Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:

And even if there's no existing ssh server, a non-root sshd would >>>>>only provide access to the user's account.

Not even. The client wouldn't be able to authenticate the
identity of the server _at all_, regardless of what user it was
running at.

And why's that? Do give us the benefit of your wisdom.

I already explained it. You didn't understand it. I see no

No you haven't. At all.

Go read RFC 4253.

reason to believe that explaining it again would enlighten you,
as you seem to revel in deliberate ignorance.

The only ignorant person is you who seems to think an ssh client wouldn't >connect to a modified sshd not running as root because [reasons].

Please give those reasons or go find something more useful to do.

See above reference.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:48:03 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07ro$3a575$1@dont-email.me>, <boltar@caprica.universe> wrote: >>Stick to cleaning the floors then because you apparently have no idea about >>modifying code.

Hey, I'm not the one who doesn't understand how SSH works, Mr

You're the one who doesn't seem to understand that as long as the client
gets a valid certificate its happy. Beyond that all bets are off.

Anonymous Internet Rando Guy.

And what? Perhaps you should be too - no one is going to be too impressed
with your inability to follow a line of deduction if they google your name though you might be lucky in that google probably no longer indexes usenet
now.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe wrote:

Security by obscurity never works. A port scanner would find it in minutes.

You have already proven your stupidity in this thread
many times before. Your lack of understanding is huge.

br,
KK
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Nuno Silva <nunojsilva@invalid.invalid> writes:

On 2026-04-17, Nicolas George wrote:

Richard Kettlewell , dans le message
<wwvfr4uuimd.fsf@LkoBDZeT.terraraq.uk>, a |-crit-a:

That only works in specific niches.

* macOS is not the first OS to discard the rCyprivileged portrCO concept; >>> Windows never had it.

Only idiots run servers on these systems anyway.

There were a couple of occasions where Apple tried to
enter the server market (e.g. the 1U Xserv). They never
really caught on. IIRC, they were intending at one
point to use their ARM64 silicon in a line of servers.

They do build custom servers for their own datacenters
using their ARM64 silicon.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:48:38 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07uq$3a63c$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Sat, 18 Apr 2026 15:08:03 -0000 (UTC)

I already explained it. You didn't understand it. I see no

No you haven't. At all.

Go read RFC 4253.

What about it? You think someone in there it says "if the sshd code is hacked it automagically won't work! So ya boo sucks Mr hacker!".

reason to believe that explaining it again would enlighten you,
as you seem to revel in deliberate ignorance.

The only ignorant person is you who seems to think an ssh client wouldn't >>connect to a modified sshd not running as root because [reasons].

Please give those reasons or go find something more useful to do.

See above reference.

You truly are an idiot.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people >logging in.

That's likely to be the case. ssh isn't generally used by unsophisticated users (you may be an exception to the rule).
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s09b5$3ajoj$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sat, 18 Apr 2026 15:48:03 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07ro$3a575$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>Stick to cleaning the floors then because you apparently have no idea about >>>modifying code.

Hey, I'm not the one who doesn't understand how SSH works, Mr

You're the one who doesn't seem to understand that as long as the client
gets a valid certificate its happy. Beyond that all bets are off.

Actually, I acknowledged that in my first post on the matter.
Not my fault if you can't read.

Anonymous Internet Rando Guy.

And what? Perhaps you should be too - no one is going to be too impressed >with your inability to follow a line of deduction if they google your name >though you might be lucky in that google probably no longer indexes usenet >now.

I'm not too worried about my reputation, but I can see why you
keep yourself anonymous.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:52:56 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

Security by obscurity never works. A port scanner would find it in minutes.

You have already proven your stupidity in this thread
many times before. Your lack of understanding is huge.

So you think sshd isn't vulnerable to DDoS. Another fool to put on the list.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s09gt$3al9g$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sat, 18 Apr 2026 15:48:38 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07uq$3a63c$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Sat, 18 Apr 2026 15:08:03 -0000 (UTC)

I already explained it. You didn't understand it. I see no

No you haven't. At all.

Go read RFC 4253.

What about it? You think someone in there it says "if the sshd code is hacked >it automagically won't work! So ya boo sucks Mr hacker!".

...and you think that magically restricting access to port 22
fixes that?

reason to believe that explaining it again would enlighten you,
as you seem to revel in deliberate ignorance.

The only ignorant person is you who seems to think an ssh client wouldn't >>>connect to a modified sshd not running as root because [reasons].

Please give those reasons or go find something more useful to do.

See above reference.

You truly are an idiot.

I think you don't understand how cryptography works.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:56:25 GMT
scott@slp53.sl.home (Scott Lurndal) gabbled:

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people >>logging in.

That's likely to be the case. ssh isn't generally used by unsophisticated >users (you may be an exception to the rule).

No, it isn't, because ALL first ssh connections give that warning and almost all people ignore it. But I wouldn't expect an aspie to understand that.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:56:47 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s09b5$3ajoj$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Sat, 18 Apr 2026 15:48:03 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07ro$3a575$1@dont-email.me>, <boltar@caprica.universe> wrote:

Stick to cleaning the floors then because you apparently have no idea about >>>>modifying code.

Hey, I'm not the one who doesn't understand how SSH works, Mr

You're the one who doesn't seem to understand that as long as the client >>gets a valid certificate its happy. Beyond that all bets are off.

Actually, I acknowledged that in my first post on the matter.
Not my fault if you can't read.

So you're arguing against yourself. Have fun.

And what? Perhaps you should be too - no one is going to be too impressed >>with your inability to follow a line of deduction if they google your name >>though you might be lucky in that google probably no longer indexes usenet >>now.

I'm not too worried about my reputation, but I can see why you

I wouldn't be if I were you either , too late :)

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe wrote:

On Sat, 18 Apr 2026 15:52:56 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

Security by obscurity never works. A port scanner would find it in minutes. >>

You have already proven your stupidity in this thread
many times before. Your lack of understanding is huge.

So you think sshd isn't vulnerable to DDoS. Another fool to put on the list.

You are the first to mention DDoS. I was speaking of running sshd
on ports higher than 1024. Hahah!

br,
KK
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

Richard Kettlewell <invalid@invalid.invalid> gabbled:

boltar@caprica.universe writes:

Richard Kettlewell <invalid@invalid.invalid> gabbled: >>>>boltar@caprica.universe writes:

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

<boltar@caprica.universe> wrote:

On Thu, 16 Apr 2026 20:29:37 +0100
A hacked version of ssh could save or forward everything it
receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it

Why wouldn't it have permissions if a user has set up the whole
thing?

Non-root users canrCOt read the legitimate host key:

Why would the hacked server need to?

The point is that your hacked server is not going to be using the >>legitimate host key.

And why would there be a legitimate host key in the first place?
You're assuming there was a legitimate version of sshd running there beforehand which clients had connected to.

The text below covers the case where there wasnrCOt one, but: whatrCOs the
end user model here? Why are they connecting to this host that doesnrCOt normally run a legitimate SSH server? Why would they then expect it to
be benign?

How can it have changed if the only sshd running was the one the hacker
set up?

Largely already discussed in <wwvo6jh1cfw.fsf@LkoBDZeT.terraraq.uk>, but
in brief, if the client doesnrCOt already trust the key then the user gets >>told that the key is unknown, and if it does then the user has at some >>point in the past chosen to trust that key (or a CA that signed it).

Yes, we all know this. And? No one when first connecting to an sshd
goes to google the key to see if its valid, they type "yes" and carry
on.

If you trust random keys for no good reason, go ahead and install this
in your browserrCOs and systemrCOs root CA store:

-----BEGIN CERTIFICATE----- MIIC4jCCAkSgAwIBAgIUQflzkxUeOeQ/Fs0m7OLUV2UP2xIwCgYIKoZIzj0EAwIw ejELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1hcnlsYW5kMRMwEQYDVQQHDApGb3J0 IE1lYWRlMQwwCgYDVQQKDANOU0ExGDAWBgNVBAsMD1NBVkFNQSBvdXRyZWFjaDEb MBkGA1UEAwwSTlNBIFNBVkFNQSBpbnRlcm9wMCAXDTI2MDQxODExNTczN1oYDzQ3 NjQwMzE0MTE1NzM3WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECAwITWFyeWxhbmQx EzARBgNVBAcMCkZvcnQgTWVhZGUxDDAKBgNVBAoMA05TQTEYMBYGA1UECwwPU0FW QU1BIG91dHJlYWNoMRswGQYDVQQDDBJOU0EgU0FWQU1BIGludGVyb3AwgZswEAYH KoZIzj0CAQYFK4EEACMDgYYABACLxy0xmF0sPsmsQpq8CUUebk1CUFAnXwsaZK3k m6XsYFSI9Id4HVPsf8Bc+SNCQJUct21QHPn6Kx0NTV1zmc7RDgDs6E8kR566Hzj/ bsb1byFapTVnq1pP9OzJGteyQMAiJK/PAf/95rdPKG3vurkeZzVj2KBZE4okRH0p +dGN0fIs5qNjMGEwHQYDVR0OBBYEFAbcbSxrY6U+adIB2orE5Gu5b4gFMB8GA1Ud IwQYMBaAFAbcbSxrY6U+adIB2orE5Gu5b4gFMA8GA1UdEwEB/wQFMAMBAf8wDgYD VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA4GLADCBhwJBNKc0DvzfS1dIpIiN25rK rP4NNaB17pPFWcBQwZnwRpFfkwdUlernKhrBGX9jHVj3DJvwSdTPi3W3LgZSHzst J6oCQgDsMhe4oAIR/Jj50o60ZL7L63nWfnUbXb6hrTtgZjBxT4vqc/YzFMbPvg2H gfYrH3aUM8H3RaDeaqLqCqX2syt2PA==
-----END CERTIFICATE-----

Personally IrCOm a bit more cautious, and donrCOt opt in to being attacked.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <rPNER.152417$scof.12054@fx01.iad>,
Scott Lurndal <slp53@pacbell.net> wrote:

Nuno Silva <nunojsilva@invalid.invalid> writes:

On 2026-04-17, Nicolas George wrote:

Richard Kettlewell , dans le message
<wwvfr4uuimd.fsf@LkoBDZeT.terraraq.uk>, a |-crit-a:

That only works in specific niches.

* macOS is not the first OS to discard the rCyprivileged portrCO concept; >>>> Windows never had it.

Only idiots run servers on these systems anyway.

There were a couple of occasions where Apple tried to
enter the server market (e.g. the 1U Xserv). They never
really caught on. IIRC, they were intending at one
point to use their ARM64 silicon in a line of servers.

I used those once. There wasnt much to recommend them, sadly.
The hardware was nice, but the cost/performance ratio was too
high and the software was anemic for server applications.

They do build custom servers for their own datacenters
using their ARM64 silicon.

They have undeniably nice kit, but the software focus on enduser
applications isnt a great fit for datacenters.

Do you remember the PowerPC machine they shipped that ran AIX?
Talk about a shotgun wedding....

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s09od$3angd$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sat, 18 Apr 2026 15:56:47 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s09b5$3ajoj$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Sat, 18 Apr 2026 15:48:03 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07ro$3a575$1@dont-email.me>, <boltar@caprica.universe> wrote:

Stick to cleaning the floors then because you apparently have no idea about
modifying code.

Hey, I'm not the one who doesn't understand how SSH works, Mr

You're the one who doesn't seem to understand that as long as the client >>>gets a valid certificate its happy. Beyond that all bets are off.

Actually, I acknowledged that in my first post on the matter.
Not my fault if you can't read.

So you're arguing against yourself. Have fun.

Since you don't seem to ve able to read, let alone comprehend,
how any of this ACTUALLY works, I can see how you might believe
that.

And what? Perhaps you should be too - no one is going to be too impressed >>>with your inability to follow a line of deduction if they google your name >>>though you might be lucky in that google probably no longer indexes usenet >>>now.

I'm not too worried about my reputation, but I can see why you

I wouldn't be if I were you either , too late :)

...he says as he hides behind a thin veneer of anonymity.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 14:40:14 -0000 (UTC), boltar wrote:

No one when first connecting to an sshd goes to google the key to
see if its valid, they type "yes" and carry on.

You donrCOt rCLgooglerCY host keys, you get them from a trusted source.

The host key fingerprint is designed to be short enough that someone
could verify it to you over the phone, for example.

This is all covered in Security 101. Because, you know, a systemrCOs
security is only as strong as its weakest link.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-18, boltar@caprica.universe wrote:

On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)

Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people logging in.

I honestly can't be bothered.

Yes. You clearly, obviously, can't be bothered to understand
even the most rudimentary concepts around how public key
authentication works. Like, at all.

And you apparently have no idea that if someone has the source code to a program they can make it do and behave whatever and however they want.
I suggest you stick to sys admin and leave the dev discussions to people
who have a clue.

It'd still take a lot of luck to have the code generate the same private
key as the one you want to impersonate.


(The way you word it sounds like you'd also say it's just a matter of
coding to be able to write a computer program that prints 1 if a program
given as input will terminate and 0 if it will keep running forever?)
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-18, boltar@caprica.universe wrote:

On Sat, 18 Apr 2026 15:56:25 GMT
scott@slp53.sl.home (Scott Lurndal) gabbled:

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 16:09:19 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10rtkrv$2ifdm$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Fri, 17 Apr 2026 15:20:09 -0000 (UTC)
Oh FFS, the hacker server would use whatever keys the hacker wanted it to >>>>>use. Do try and keep up.

....and then they wouldn't match what the user already had in
their, `.ssh/known_hosts` file.

Right, because an extra warning prompt from the client will stop people >>>logging in.

That's likely to be the case. ssh isn't generally used by unsophisticated >>users (you may be an exception to the rule).

No, it isn't, because ALL first ssh connections give that warning and almost all people ignore it. But I wouldn't expect an aspie to understand that.

This is not "UAC" in Windows NT 6.0, not even comparable, if the warning
is only shown when there is a reason for it to be: either you're setting
it anew, or something changed.

It's quite easy to include some note on this in e.g. tutorials people
would follow to connect to some organization's ssh services, and that's
besides clients themselves often adding a note of some sort.

It's not some kind of nagging that makes people automatically dismiss
it.
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-18, boltar@caprica.universe wrote:

On Sat, 18 Apr 2026 15:14:38 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

[...] No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.

Not really true. Some people are more cautious than that.

Pfft, yeah, right.

I'm not saying you should read the room, but you should at least read
the posts in the thread. It should be evident to you at this point that
at least some people here are at least to some extent cautious enough in
these matters.

Anyway, lots has been said in this thread, but I suppose
nobody has mentioned that running sshd on port > 1024
is pretty common nowadays.

Security by obscurity never works. A port scanner would find it in
minutes.

It can delay, it really depends on what is being obscured. Not knowing a private key is sort of obscurity, isn't it?
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s12fp$3itid$3@dont-email.me>,
Nuno Silva <nunojsilva@invalid.invalid> wrote:

[snip]
(The way you word it sounds like you'd also say it's just a matter of
coding to be able to write a computer program that prints 1 if a program >given as input will terminate and 0 if it will keep running forever?)

Oh no; careful: you'll summon P.O. and the gang that's always
arguing with him, and this will turn into comp.theory 2.0.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s13ri$3itid$5@dont-email.me>,
Nuno Silva <nunojsilva@invalid.invalid> wrote:

On 2026-04-18, boltar@caprica.universe wrote:

On Sat, 18 Apr 2026 15:14:38 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

[...] No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.

Not really true. Some people are more cautious than that.

Pfft, yeah, right.

I'm not saying you should read the room, but you should at least read
the posts in the thread. It should be evident to you at this point that
at least some people here are at least to some extent cautious enough in >these matters.

That presumes that he can read.

Anyway, lots has been said in this thread, but I suppose
nobody has mentioned that running sshd on port > 1024
is pretty common nowadays.

Security by obscurity never works. A port scanner would find it in
minutes.

It can delay, it really depends on what is being obscured. Not knowing a >private key is sort of obscurity, isn't it?

This fool also doesn't seem to understand that it's all about
relative effort; the Internet is so chock-full of soft targets
it is hardly worth an adversary's time to search non-default
ports, but a lot of systems change the default simply because
they're tired of their logs being choked by random bot scanning
for known vulnerabilities.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 13:34:39 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled:

[...]

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

That would be main downside, not the handwaving guff about certificates
that others have come up with.

One last thing: I don't know whether the your user name "boltar"
is a misspelling of "Baltar" or not.

Don't bother answering. Your recent habit of insulting people,
particularly people who are quite knowledgeable, has earned you a
spot in my killfile. Others will do as they want, but for the sake
of the signal/noise ratio of this newsgroup, I encourage everyone
else to stop replying to your posts.
--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
void Void(void) { Void(); } /* The recursive call of the void */
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 15:57:42 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s09gt$3al9g$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Sat, 18 Apr 2026 15:48:38 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07uq$3a63c$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Sat, 18 Apr 2026 15:08:03 -0000 (UTC)

I already explained it. You didn't understand it. I see no

No you haven't. At all.

Go read RFC 4253.

What about it? You think someone in there it says "if the sshd code is hacked >>it automagically won't work! So ya boo sucks Mr hacker!".

....and you think that magically restricting access to port 22
fixes that?

No, I'm saying its a small link in the chain of security.

You truly are an idiot.

I think you don't understand how cryptography works.

You think sshd doesn't decrpyt the data before it forwards it to bash? Aww, bles
s.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 16:12:31 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s09od$3angd$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Sat, 18 Apr 2026 15:56:47 -0000 (UTC)

I'm not too worried about my reputation, but I can see why you

I wouldn't be if I were you either , too late :)

....he says as he hides behind a thin veneer of anonymity.

What do you mean hiding? We're discussing ssh, not some inflamatory political topic. Get a sense of perspective.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sun, 19 Apr 2026 00:24:34 +0100
Nuno Silva <nunojsilva@invalid.invalid> gabbled:

On 2026-04-18, boltar@caprica.universe wrote:

On Sat, 18 Apr 2026 15:14:38 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

[...] No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.

Not really true. Some people are more cautious than that.

Pfft, yeah, right.

I'm not saying you should read the room, but you should at least read
the posts in the thread. It should be evident to you at this point that
at least some people here are at least to some extent cautious enough in >these matters.

They seem to assume they're typical of most users. They're not.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sat, 18 Apr 2026 17:54:21 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled:

boltar@caprica.universe writes:

On Fri, 17 Apr 2026 13:34:39 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled:

[...]

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

That would be main downside, not the handwaving guff about certificates
that others have come up with.

One last thing: I don't know whether the your user name "boltar"
is a misspelling of "Baltar" or not.

Well done, have a scooby snack.

Don't bother answering. Your recent habit of insulting people,
particularly people who are quite knowledgeable, has earned you a
spot in my killfile. Others will do as they want, but for the sake

Easily worked around.

of the signal/noise ratio of this newsgroup, I encourage everyone
else to stop replying to your posts.

I'll insult people who patronise, wilfully misunderstand me and tell me I
don't know what I'm talking about in order to score pathetic points with
others on this group when all I did was post what I thought was an interesting topic about ports.

Some usenet groups like this never change, just an ever decreasing number of arrogant know-it-alls circle jerking.


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-19, boltar@caprica.universe wrote:

On Sun, 19 Apr 2026 00:24:34 +0100
Nuno Silva <nunojsilva@invalid.invalid> gabbled:

On 2026-04-18, boltar@caprica.universe wrote:

On Sat, 18 Apr 2026 15:14:38 -0000 (UTC)
kalevi@kolttonen.fi (Kalevi Kolttonen) gabbled:

boltar@caprica.universe wrote:

[...] No one when first connecting to an sshd goes
to google the key to see if its valid, they type "yes" and carry on.

Not really true. Some people are more cautious than that.

Pfft, yeah, right.

I'm not saying you should read the room, but you should at least read
the posts in the thread. It should be evident to you at this point that
at least some people here are at least to some extent cautious enough in >>these matters.

They seem to assume they're typical of most users. They're not.

How would that even be any different from what you're doing, assuming no
user ever does that?
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-18, boltar@caprica.universe wrote:

On Fri, 17 Apr 2026 13:34:39 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled:

scott@slp53.sl.home (Scott Lurndal) writes:
If I understand correctly, a non-root user can set up a server on a >>"privileged" port, but not if that port is already in use. If root

Yes, thats kind of how TCP works. Would be a bit tricky having 2 programs
on the same port.

(I faintly recall something about port-sharing on Windows NT. What was
that about? I'll have to check...)

Which means, unless I'm missing something, that the warning about
a changed host key is not likely to show up. (Unless the system
doesn't have an ssh server -- but then how does the user get
into it?)

Console.

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

That would be main downside, not the handwaving guff about certificates
that others have come up with.

It's not "handwaving guff", it's asymmetric cryptography, and computer
science.

There are certain mathematical guarantees and assumptions that mean you
can't just "fake" a private key/certificate unless you choose too weak parameters to begin with, or if there is some flaw in the generating
code (e.g. commenting out that call to MD_update()).

Barring a flaw that allows a user to read the system's private key for
sshd - which would be a major issue, I think - there's no feasible way
in which a user could impersonate the key of the legitimate system-wide
sshd. At least without e.g. time travel.
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s25j3$1km5f$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sat, 18 Apr 2026 15:57:42 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s09gt$3al9g$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Sat, 18 Apr 2026 15:48:38 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s07uq$3a63c$1@dont-email.me>, <boltar@caprica.universe> wrote:

On Sat, 18 Apr 2026 15:08:03 -0000 (UTC)

I already explained it. You didn't understand it. I see no

No you haven't. At all.

Go read RFC 4253.

What about it? You think someone in there it says "if the sshd code is hacked
it automagically won't work! So ya boo sucks Mr hacker!".

....and you think that magically restricting access to port 22
fixes that?

No, I'm saying its a small link in the chain of security.

And others have pointed out to you how it really isn't. And you
cannot resist proving yourself incapable of understanding that.

You truly are an idiot.

I think you don't understand how cryptography works.

You think sshd doesn't decrpyt the data before it forwards it

Case in point. Rather QED, I'm afraid.

to bash?

Are you aware that there are shells other than `bash`?

Aww, bles
s.

Odd formatting. I guess you can't use a text editor, either.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s261u$3rucs$1@dont-email.me>, <baltar@caprica.prime> wrote:

On Sat, 18 Apr 2026 17:54:21 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled: >>boltar@caprica.universe writes:

On Fri, 17 Apr 2026 13:34:39 -0700
Keith Thompson <Keith.S.Thompson+u@gmail.com> gabbled:

[...]

And even if there's no existing ssh server, a non-root sshd would
only provide access to the user's account.

That would be main downside, not the handwaving guff about certificates
that others have come up with.

One last thing: I don't know whether the your user name "boltar"
is a misspelling of "Baltar" or not.

Well done, have a scooby snack.

Don't bother answering. Your recent habit of insulting people, >>particularly people who are quite knowledgeable, has earned you a
spot in my killfile. Others will do as they want, but for the sake

Easily worked around.

of the signal/noise ratio of this newsgroup, I encourage everyone
else to stop replying to your posts.

I'll insult people who patronise,

The irony.

wilfully misunderstand me

Others understand you just fine, you just don't recognize it
because you have no idea what you're talking about.

and tell me I
don't know what I'm talking about

You shout that, loudly, yourself. And you do so at seemingly
every opportunity.

in order to score pathetic points with
others on this group

Actually, others were trying to be helpful and explain why what
you were saying was just wrong. I get it, you're too
thin-skinned to accept that as anything other than an attack,
but the only one "trying to score points" at this point is you.

when all I did was post what I thought was an interesting
topic about ports.

Some usenet groups like this never change, just an ever decreasing number of >arrogant know-it-alls circle jerking.

Sounds like you're butthurt that got caught out showing your ass
by putting your ignorance on such proud display.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s15hn$1fk$2@reader1.panix.com>,
Dan Cross <cross@spitfire.i.gajendra.net> wrote:
...

This fool also doesn't seem to understand that it's all about
relative effort; the Internet is so chock-full of soft targets
it is hardly worth an adversary's time to search non-default
ports, but a lot of systems change the default simply because
they're tired of their logs being choked by random bot scanning
for known vulnerabilities.

Yes.

Realizing, of course, that anecdotes are not data, I will share my own experience in this area. For a while, I ran one of those "rent a server instance" Linux thingies. I setup ssh(d) on it, and immediately noticed
the logs being filled with random connections (i.e., attacks). Nobody ever
got in, but not for lack of trying.

Now, some people might say "OK, no problem". I.e., they would say that the logs filling up with failed attacks is no big deal - that disk space is
cheap, etc, etc. But I'm not those people. In particular, having noise in your logs makes it hard to find real issues.

So, I switched the port of sshd. Voila! No more attacks. None.

Now, of course, this doesn't mean that attackers couldn't port scan me and
then try to get in on whatever port it was running on, but the fact is,
they don't (at least in my somewhat limited experience with this). As you
say, there are plenty of soft targets; there's no need for them to waste
their time scanning for non-standard ports. In fact, it is probably a lot
like what they say about those Nigerian Prince scam emails; the bad guys actually *want* to filter out anyone smart enough to change the port, since they probably also won't have an easily guessable/crackable password. To re-iterate, it is actually in their interests to only target the dumb-dumbs.
--
The randomly chosen signature file that would have appeared here is more than 4 lines long. As such, it violates one or more Usenet RFCs. In order to remain in compliance with said RFCs, the actual sig can be found at the following URL:
http://user.xmission.com/~gazelle/Sigs/Cancer
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

Kenny McCormack <gazelle@shell.xmission.com> wrote:

So, I switched the port of sshd. Voila! No more attacks. None.

I have a similar experience. Most script kiddies searching
for SSH connections only scan TCP 22. Switching to a non-standard
port really does make a difference.

br,
KK
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sun, 19 Apr 2026 10:45:30 +0100
Nuno Silva <nunojsilva@invalid.invalid> gabbled:

On 2026-04-18, boltar@caprica.universe wrote:

That would be main downside, not the handwaving guff about certificates
that others have come up with.

It's not "handwaving guff", it's asymmetric cryptography, and computer >science.

It is because its utterly irrelevant in this case.

Barring a flaw that allows a user to read the system's private key for
sshd - which would be a major issue, I think - there's no feasible way
in which a user could impersonate the key of the legitimate system-wide
sshd. At least without e.g. time travel.

Why would it need to? As long as it had a valid key the client is happy with
it would work fine.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sun, 19 Apr 2026 13:20:29 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s25j3$1km5f$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Sat, 18 Apr 2026 15:57:42 -0000 (UTC)

....and you think that magically restricting access to port 22
fixes that?

No, I'm saying its a small link in the chain of security.

And others have pointed out to you how it really isn't. And you
cannot resist proving yourself incapable of understanding that.

Its psychological, not software. Another aspie who doesn't get it.

You think sshd doesn't decrpyt the data before it forwards it

Case in point. Rather QED, I'm afraid.

What is a case in point?

to bash?

Are you aware that there are shells other than `bash`?

Nooooooo! Really?? Say it aint so!

Aww, bles
s.

Odd formatting. I guess you can't use a text editor, either.

That really the best you can do?

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Sun, 19 Apr 2026 13:29:12 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s261u$3rucs$1@dont-email.me>, <baltar@caprica.prime> wrote: >>Some usenet groups like this never change, just an ever decreasing number of >>arrogant know-it-alls circle jerking.

Sounds like you're butthurt that got caught out showing your ass
by putting your ignorance on such proud display.

I don't own a donkey. Did you mean arse?

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s4rud$katd$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Sun, 19 Apr 2026 13:20:29 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s25j3$1km5f$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Sat, 18 Apr 2026 15:57:42 -0000 (UTC)

....and you think that magically restricting access to port 22
fixes that?

No, I'm saying its a small link in the chain of security.

And others have pointed out to you how it really isn't. And you
cannot resist proving yourself incapable of understanding that.

Its psychological, not software. Another aspie who doesn't get it.

Yeah, you just don't understand the counter examples.

You think sshd doesn't decrpyt the data before it forwards it

Case in point. Rather QED, I'm afraid.

What is a case in point?

That you don't have the foggiest idea how any of this works.

to bash?

Are you aware that there are shells other than `bash`?

Nooooooo! Really?? Say it aint so!

Aww, bles
s.

Odd formatting. I guess you can't use a text editor, either.

That really the best you can do?

You're not worth my time.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Mon, 20 Apr 2026 12:42:37 -0000 (UTC)
cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s4rud$katd$1@dont-email.me>, <boltar@caprica.universe> wrote: >>On Sun, 19 Apr 2026 13:20:29 -0000 (UTC)

That really the best you can do?

You're not worth my time.

I imagine thats what your boss thinks most days.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

In article <10s5cbj$piqi$1@dont-email.me>, <boltar@caprica.universe> wrote: >On Mon, 20 Apr 2026 12:42:37 -0000 (UTC)

cross@spitfire.i.gajendra.net (Dan Cross) gabbled:

In article <10s4rud$katd$1@dont-email.me>, <boltar@caprica.universe> wrote: >>>On Sun, 19 Apr 2026 13:20:29 -0000 (UTC)

That really the best you can do?

You're not worth my time.

I imagine thats what your boss thinks most days.

Not worth his time to correct your ramblings, either.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On 2026-04-20, boltar@caprica.universe wrote:

On Sun, 19 Apr 2026 10:45:30 +0100
Nuno Silva <nunojsilva@invalid.invalid> gabbled:

On 2026-04-18, boltar@caprica.universe wrote:

That would be main downside, not the handwaving guff about certificates
that others have come up with.

It's not "handwaving guff", it's asymmetric cryptography, and computer >>science.

It is because its utterly irrelevant in this case.

Barring a flaw that allows a user to read the system's private key for
sshd - which would be a major issue, I think - there's no feasible way
in which a user could impersonate the key of the legitimate system-wide >>sshd. At least without e.g. time travel.

Why would it need to? As long as it had a valid key the client is happy with it would work fine.

Because the client would not be happy with it.
--
Nuno Silva
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.unix.programmer

On Mon, 20 Apr 2026 23:52:19 +0100
Nuno Silva <nunojsilva@invalid.invalid> gabbled:

On 2026-04-20, boltar@caprica.universe wrote:

On Sun, 19 Apr 2026 10:45:30 +0100
Nuno Silva <nunojsilva@invalid.invalid> gabbled:

On 2026-04-18, boltar@caprica.universe wrote:

That would be main downside, not the handwaving guff about certificates >>>> that others have come up with.

It's not "handwaving guff", it's asymmetric cryptography, and computer >>>science.

It is because its utterly irrelevant in this case.

Barring a flaw that allows a user to read the system's private key for >>>sshd - which would be a major issue, I think - there's no feasible way
in which a user could impersonate the key of the legitimate system-wide >>>sshd. At least without e.g. time travel.

Why would it need to? As long as it had a valid key the client is happy with >> it would work fine.

Because the client would not be happy with it.

Feel free to expand on that comment.

--- Synchronet 3.21f-Linux NewsLink 1.2