Security suggestion concering SSH and port forwarding.

Ben Lindstrom mouring at etoh.eviladmin.org
Mon Jan 19 20:58:36 EST 2004


What is wrong with using public keys?

Refer to "man sshd"  under "authorized keys format"

you can set what command that key is good for, if they can do port
forward, from what IP it is valid, etc.

- Ben

On Mon, 19 Jan 2004, Krister Bergman wrote:

> Hi,
>
> sorry if it is the wrong approuch to suggest improvments to OpenSSH,
> but here comes my suggestion:
>
> I recently stumbled upon the scponly shell which in it's chroot:ed form is
> an ideal solution when you want to share some files with people you trust
> more or less.
>
> The problem is, if you use the scponlyc as shell, port forwarding is still
> allowed. This can of course be dissallowed in sshd_config, but not only
> for certian users and/or groups.
>
> Example scenario:
>
> You're on a privat network, behind a firewall. You're letting port 22 in
> to your linux machine. A few trusted people have normal accounts on this
> machine allowing them to use -L to forward ports to other machines on the
> private network.
>
> Still you want to give other, less trusted people, access to file areas on
> the same machine. You want to keep this as secure as possible and wants to
> give them accounts allowing them fileaccess to a certain chroot:ed
> environment by using the scponlyc shell. You do NOT want these people to
> be able to, for example, use port forwarding to access some less secure
> W*ndows machines in the private network.
>
> I know a workaround would be to use two different ssh servers with two
> different sshd_config files, each allowing only a certain range of users
> and one allowing port forwaring, and one not allowing it.
>
> A nicer solution would be if it could be specified in the sshd_config
> which users are allowed to use port forwarding.
>
> Please cc: all answers to me, since I'm not a member of this mailing list.
>
>
>
> Best Regards
>
>  Krister Bergman
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list