Security suggestion concering SSH and port forwarding.
Krister Bergman
bell at milliways.st
Mon Jan 19 21:09:51 EST 2004
I'm not currently using public keys but I will try that alternative.
/Krister
On Mon, 19 Jan 2004, Darren Tucker wrote:
> Krister Bergman wrote:
> > sorry if it is the wrong approuch to suggest improvments to OpenSSH,
> > but here comes my suggestion:
> >
> > I recently stumbled upon the scponly shell which in it's chroot:ed form is
> > an ideal solution when you want to share some files with people you trust
> > more or less.
> >
> > The problem is, if you use the scponlyc as shell, port forwarding is still
> > allowed. This can of course be dissallowed in sshd_config, but not only
> > for certian users and/or groups.
>
> If you're using public-key authentication you can use the
> no-port-forwarding flag on the key:
>
> $ man sshd
> AUTHORIZED_KEYS FILE FORMAT
> [snip]
> no-port-forwarding
> Forbids TCP/IP forwarding when this key is used for authentica-
> tion. Any port forward requests by the client will return an
> error. This might be used, e.g., in connection with the command
> option.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
More information about the openssh-unix-dev
mailing list