Security suggestion concering SSH and port forwarding.
Darren Tucker
dtucker at zip.com.au
Mon Jan 19 20:54:36 EST 2004
Krister Bergman wrote:
> sorry if it is the wrong approuch to suggest improvments to OpenSSH,
> but here comes my suggestion:
>
> I recently stumbled upon the scponly shell which in it's chroot:ed form is
> an ideal solution when you want to share some files with people you trust
> more or less.
>
> The problem is, if you use the scponlyc as shell, port forwarding is still
> allowed. This can of course be dissallowed in sshd_config, but not only
> for certian users and/or groups.
If you're using public-key authentication you can use the
no-port-forwarding flag on the key:
$ man sshd
AUTHORIZED_KEYS FILE FORMAT
[snip]
no-port-forwarding
Forbids TCP/IP forwarding when this key is used for authentica-
tion. Any port forward requests by the client will return an
error. This might be used, e.g., in connection with the command
option.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list