OpenSSH-Client without reverse tunnel ability
David Newall
openssh at davidnewall.com
Wed Apr 4 22:28:52 AEST 2018
Hi Jan,
I doubt you can control this by inspecting the packets because they are
encrypted.
SSH could be modified to recognise a new option in /etc/ssh/ssh_config,
but if your users can run a non-standard SSH (i.e. one which doesn't
have that restriction), then there's not much you can do. It'd take a
very tight ship to prevent users from running a non-standard SSH.
My first thought was that they might bring in their own device. My
second thought was that an SSH client could be written in Javascript, so
every web browser is a potential weak point. My third thought was that
writing a tunnel in Javascript is probably easier than writing a
complete SSH client, and so every web browser is doubly a weak point.
David
More information about the openssh-unix-dev
mailing list