Does OpenSSH have tcp_wrappers *built-in* or just compatibility?
Darren Tucker
dtucker at zip.com.au
Sat May 4 14:22:03 EST 2002
Austin Gonyou wrote:
> Yeah..we thought about that..but it's really not *hard* enough. Since
> they will still have access to multiple other solaris boxes to be able
> to make portable binaries with and /tmp is useable by all. Though
> solaris ACLs would take care of that, it's not a good first step for our
> production environment. I think we are on the same wavelength though. :)
>
> On Fri, 2002-05-03 at 08:57, Darren Tucker wrote:
> > Austin Gonyou wrote:
> > > On solaris 8, that would probably be something we could do. We're
> > > looking into how we can limit specific users from being able to ssh
> > out
> > > of a box, and someone mentioned tcp_wrappers being built into OpenSSH.
> >
> > Assuming they can't copy their own binaries onto the box how about
> > "chgrp sshusers ssh; chmod o-rwx ssh"?
OK, how about this:
1) Install the real ssh setuid root, gid sshusers, mode 4110.
2) Set "UsePrivilegedPort" to "yes".
3) Arrange for a firewall/router/local packet filter to drop all
outbound tcp connections on port 22 with a source port >1023.
This will also defeat using a forwarder (like netcat) from an internal
box:
ProxyCommand ssh gatewayhost nc externalhost 22
You could also mount /home, /tmp and /var noexec. This would stop
someone copying another ssh and getting an external server to run sshd
on another port (eg 443).
It'd be a lot easier to use "userdel" :-) Once you've got collusion on
both sides it's very hard to stop.
-Daz.
More information about the openssh-unix-dev
mailing list