Le 04/04/2018 à 13:32, Jan Bergner a écrit :
Good day! A few weeks ago, we had a security breach in the company I'm working for, because employees used "ssh -R" to expose systems from our internal network to some SSH server in the outer world. Of course, this is a breach of our internal security policy, but lead us to wonder, whether there is a technical solution to prevent our users from creating SSH-reverse-tunnels. After a lot of googleing, there seems to be no option for the system-wide client config that would do the trick nor any other suitable solution. (Watching ps is not sufficient, as the users can also specify reverse tunnels in their client config or create them from an already existing connection.) Is it possible to achieve this without nasty workarounds like wrapper scripts monitoring the very-verbose output of SSH or doing DPI? Alternatively, would it be possible to add a config option, allowing an administrator to disable reverse port forwarding or limit it's destinations? Thank you in advance, Jan Bergner
Hello, No -totally sure- way without DPI and/or proxy, I think. But, may be a combination of MATCH blocks with PermitTunnel can be useful? According your needs, something like: PermitTunnel no #(default) Match Address other.corp.site.IP,123.123.123.123 PermitTunnel Ethernet Match group admin1 PermitTunnel point-to-point Match user root PermitTunnel yes Regards, -- benoist -- benoist _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev