OpenSSH-Client without reverse tunnel ability

mlrx openssh-unix-dev at 18informatique.com
Thu Apr 5 01:26:33 AEST 2018


Le 04/04/2018 à 13:32, Jan Bergner a écrit :
> Good day!
> 
> A few weeks ago, we had a security breach in the company I'm working
> for, because employees used "ssh -R" to expose systems from our internal
> network to some SSH server in the outer world.
> 
> Of course, this is a breach of our internal security policy, but lead us
> to wonder, whether there is a technical solution to prevent our users
> from creating SSH-reverse-tunnels.
> 
> After a lot of googleing, there seems to be no option for the
> system-wide client config that would do the trick nor any other suitable
> solution. (Watching ps is not sufficient, as the users can also specify
> reverse tunnels in their client config or create them from an already
> existing connection.)
> 
> Is it possible to achieve this without nasty workarounds like wrapper
> scripts monitoring the very-verbose output of SSH or doing DPI?
> Alternatively, would it be possible to add a config option, allowing an
> administrator to disable reverse port forwarding or limit it's destinations?
> 
> 
> Thank you in advance,
> 
> Jan Bergner

Hello,

No -totally sure- way without DPI and/or proxy, I think.

But, may be a combination of MATCH blocks with
PermitTunnel can be useful?
According your needs, something like:

PermitTunnel no  #(default)
Match Address other.corp.site.IP,123.123.123.123
   PermitTunnel Ethernet
Match group admin1
   PermitTunnel point-to-point
Match user root
   PermitTunnel yes

Regards,
-- 
benoist

-- 
benoist


More information about the openssh-unix-dev mailing list