Re: OpenSSH-Client without reverse tunnel ability

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Le 04/04/2018 à 13:32, Jan Bergner a écrit :
Good day!

A few weeks ago, we had a security breach in the company I'm working
for, because employees used "ssh -R" to expose systems from our internal
network to some SSH server in the outer world.

Of course, this is a breach of our internal security policy, but lead us
to wonder, whether there is a technical solution to prevent our users
from creating SSH-reverse-tunnels.

After a lot of googleing, there seems to be no option for the
system-wide client config that would do the trick nor any other suitable
solution. (Watching ps is not sufficient, as the users can also specify
reverse tunnels in their client config or create them from an already
existing connection.)

Is it possible to achieve this without nasty workarounds like wrapper
scripts monitoring the very-verbose output of SSH or doing DPI?
Alternatively, would it be possible to add a config option, allowing an
administrator to disable reverse port forwarding or limit it's destinations?


Thank you in advance,

Jan Bergner

Hello,

No -totally sure- way without DPI and/or proxy, I think.

But, may be a combination of MATCH blocks with
PermitTunnel can be useful?
According your needs, something like:

PermitTunnel no  #(default)
Match Address other.corp.site.IP,123.123.123.123
  PermitTunnel Ethernet
Match group admin1
  PermitTunnel point-to-point
Match user root
  PermitTunnel yes

Regards,
--
benoist

--
benoist
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux