On 2018-04-05T14:07, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote: > On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner@xxxxxxxxxxx> wrote: > > Hello all. > > > > First of all, I want to extend my sincere thanks to all the people who > > came to the rescue so quickly. > > > > In any case, there is obviously room for clarification on my part, so I > > will try to describe the situation we had in more detail. > > > > In short: > > Employees used the openssh-*client* from *within* our company network to > > create a *reverse* SSH tunnel, using an *external* SSH-Server. We > > control the Clients but not the servers. > > So, we wanted to restrict our *Clients*. > > How difficult would it be to leave a scheduled security check to look > for "ssh[ \t].*-R.*" expressions with "pgrep", and file a security > abuse report if such processes are seen? It could be worked around, > but should catch the most blatant abusers.so they can be notified of > inappropriate behavior. Additionally, one could grep home directories for relevant configuration statements in ~/.ssh/config. However that would be necessarily incomplete, because the other relevant config is ~/.ssh/authorized_keys on the remote end. Ciao, Alexander Wuerstlein. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev