Hello all. First of all, I want to extend my sincere thanks to all the people who came to the rescue so quickly. In any case, there is obviously room for clarification on my part, so I will try to describe the situation we had in more detail. In short: Employees used the openssh-*client* from *within* our company network to create a *reverse* SSH tunnel, using an *external* SSH-Server. We control the Clients but not the servers. So, we wanted to restrict our *Clients*. Of course, we are aware of other tools like socat or employees who can compile openssh on their own, but our aim was not to make data exfiltration impossible, as this would, indeed, mean disconnect from the internet. Obviously, I failed to emphazise, that our employees did not break the rules deliberately, but because they simply were not aware of the impact, their actions had. As a matter of fact, we often legitimately use SSH tunnels, also reverse tunnels, in other situations. (I. e. not on our workstations.) And indeed, we have the sign-it-with-your-blood-policy. The employees did not understand, they were breaking it. Suffice to say, that our case could have been prevented if the employees would have gotten a notification. And since they use SSH by default before they try anything else, this was our starting point. In the end, we figured, the most general way to prevent such breaches would be to restrict reverse tunnels on workstations, so the employees are reminded that this is not allowed. (Since they always could use an external SSH server to do nasty stuff.) Alternatively, any means of monitoring reverse tunnels would be an improvement. However, I gathered this is not possible, right now and cannot easily be added as feature. As far as I am concerned, my question is therefore answered and we will have to find another solution. Thanks again to all of you and best regards Jan Bergner -- ________________________________________ *Jan Bergner, M.Sc. * Software Engineer *indurad GmbH* *The Industrial Radar Company* Belvedereallee 5 52070 Aachen, Germany Office: + 49 241 538070-61 Front Desk: + 49 241 538070-0 Fax: + 49 241 538070-99 jan.bergner@xxxxxxxxxxx www.indurad.com <http://www.indurad.com/> _______________________________________
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
