OpenSSH-Client without reverse tunnel ability

David Newall openssh at davidnewall.com
Wed Apr 4 22:28:52 AEST 2018


Hi Jan,

I doubt you can control this by inspecting the packets because they are 
encrypted.

SSH could be modified to recognise a new option in /etc/ssh/ssh_config, 
but if your users can run a non-standard SSH (i.e. one which doesn't 
have that restriction), then there's not much you can do.  It'd take a 
very tight ship to prevent users from running a non-standard SSH.

My first thought was that they might bring in their own device. My 
second thought was that an SSH client could be written in Javascript, so 
every web browser is a potential weak point.  My third thought was that 
writing a tunnel in Javascript is probably easier than writing a 
complete SSH client, and so every web browser is doubly a weak point.

David


More information about the openssh-unix-dev mailing list