OpenSSH-Client without reverse tunnel ability
Jan Bergner
jan.bergner at indurad.com
Wed Apr 4 21:32:48 AEST 2018
Good day!
A few weeks ago, we had a security breach in the company I'm working
for, because employees used "ssh -R" to expose systems from our internal
network to some SSH server in the outer world.
Of course, this is a breach of our internal security policy, but lead us
to wonder, whether there is a technical solution to prevent our users
from creating SSH-reverse-tunnels.
After a lot of googleing, there seems to be no option for the
system-wide client config that would do the trick nor any other suitable
solution. (Watching ps is not sufficient, as the users can also specify
reverse tunnels in their client config or create them from an already
existing connection.)
Is it possible to achieve this without nasty workarounds like wrapper
scripts monitoring the very-verbose output of SSH or doing DPI?
Alternatively, would it be possible to add a config option, allowing an
administrator to disable reverse port forwarding or limit it's destinations?
Thank you in advance,
Jan Bergner
--
________________________________________
*Jan Bergner, M.Sc. *
Software Engineer
*indurad GmbH*
*The Industrial Radar Company*
Belvedereallee 5
52070 Aachen, Germany
Office: + 49 241 538070-61
Front Desk: + 49 241 538070-0
Fax: + 49 241 538070-99
jan.bergner at indurad.com
www.indurad.com <http://www.indurad.com/>
_______________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180404/055e1a64/attachment.asc>
More information about the openssh-unix-dev
mailing list