OpenSSH-Client without reverse tunnel ability
mlrx
openssh-unix-dev at 18informatique.com
Thu Apr 5 01:26:33 AEST 2018
Le 04/04/2018 à 13:32, Jan Bergner a écrit :
> Good day!
>
> A few weeks ago, we had a security breach in the company I'm working
> for, because employees used "ssh -R" to expose systems from our internal
> network to some SSH server in the outer world.
>
> Of course, this is a breach of our internal security policy, but lead us
> to wonder, whether there is a technical solution to prevent our users
> from creating SSH-reverse-tunnels.
>
> After a lot of googleing, there seems to be no option for the
> system-wide client config that would do the trick nor any other suitable
> solution. (Watching ps is not sufficient, as the users can also specify
> reverse tunnels in their client config or create them from an already
> existing connection.)
>
> Is it possible to achieve this without nasty workarounds like wrapper
> scripts monitoring the very-verbose output of SSH or doing DPI?
> Alternatively, would it be possible to add a config option, allowing an
> administrator to disable reverse port forwarding or limit it's destinations?
>
>
> Thank you in advance,
>
> Jan Bergner
Hello,
No -totally sure- way without DPI and/or proxy, I think.
But, may be a combination of MATCH blocks with
PermitTunnel can be useful?
According your needs, something like:
PermitTunnel no #(default)
Match Address other.corp.site.IP,123.123.123.123
PermitTunnel Ethernet
Match group admin1
PermitTunnel point-to-point
Match user root
PermitTunnel yes
Regards,
--
benoist
--
benoist
More information about the openssh-unix-dev
mailing list