Security suggestion concering SSH and port forwarding.

Krister Bergman bell at milliways.st
Mon Jan 19 21:08:08 EST 2004 

Yes, that is an option I am considering. Found that part after I sent the
message.

But I still like the idea to keep it simple by just using userid and
password authentication and keeping these users in a chroot:ed sandbox.

After all this is mainly for "point-and-click" users using WinSCP.
But I will consider and try the option of using public keys.


/Krister

On Mon, 19 Jan 2004, Ben Lindstrom wrote:

>
> What is wrong with using public keys?
>
> Refer to "man sshd"  under "authorized keys format"
>
> you can set what command that key is good for, if they can do port
> forward, from what IP it is valid, etc.
>
> - Ben
>
> On Mon, 19 Jan 2004, Krister Bergman wrote:
>
> > Hi,
> >
> > sorry if it is the wrong approuch to suggest improvments to OpenSSH,
> > but here comes my suggestion:
> >
> > I recently stumbled upon the scponly shell which in it's chroot:ed form is
> > an ideal solution when you want to share some files with people you trust
> > more or less.
> >
> > The problem is, if you use the scponlyc as shell, port forwarding is still
> > allowed. This can of course be dissallowed in sshd_config, but not only
> > for certian users and/or groups.
> >
> > Example scenario:
> >
> > You're on a privat network, behind a firewall. You're letting port 22 in
> > to your linux machine. A few trusted people have normal accounts on this
> > machine allowing them to use -L to forward ports to other machines on the
> > private network.
> >
> > Still you want to give other, less trusted people, access to file areas on
> > the same machine. You want to keep this as secure as possible and wants to
> > give them accounts allowing them fileaccess to a certain chroot:ed
> > environment by using the scponlyc shell. You do NOT want these people to
> > be able to, for example, use port forwarding to access some less secure
> > W*ndows machines in the private network.
> >
> > I know a workaround would be to use two different ssh servers with two
> > different sshd_config files, each allowing only a certain range of users
> > and one allowing port forwaring, and one not allowing it.
> >
> > A nicer solution would be if it could be specified in the sshd_config
> > which users are allowed to use port forwarding.
> >
> > Please cc: all answers to me, since I'm not a member of this mailing list.
> >
> >
> >
> > Best Regards
> >
> >  Krister Bergman
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
>

More information about the openssh-unix-dev mailing list