OpenSSH-Client without reverse tunnel ability

Jan Bergner jan.bergner at indurad.com
Thu Apr 5 21:13:34 AEST 2018 

Hello all.

First of all, I want to extend my sincere thanks to all the people who
came to the rescue so quickly.

In any case, there is obviously room for clarification on my part, so I
will try to describe the situation we had in more detail.

In short:
Employees used the openssh-*client* from *within* our company network to
create a *reverse* SSH tunnel, using an *external* SSH-Server. We
control the Clients but not the servers.
So, we wanted to restrict our *Clients*.

Of course, we are aware of other tools like socat or employees who can
compile openssh on their own, but our aim was not to make data
exfiltration impossible, as this would, indeed, mean disconnect from the
internet.
Obviously, I failed to emphazise, that our employees did not break the
rules deliberately, but because they simply were not aware of the
impact, their actions had.
As a matter of fact, we often legitimately use SSH tunnels, also reverse
tunnels, in other situations. (I. e. not on our workstations.)
And indeed, we have the sign-it-with-your-blood-policy. The employees
did not understand, they were breaking it.
Suffice to say, that our case could have been prevented if the employees
would have gotten a notification. And since they use SSH by default
before they try anything else, this was our starting point.

In the end, we figured, the most general way to prevent such breaches
would be to restrict reverse tunnels on workstations, so the employees
are reminded that this is not allowed. (Since they always could use an
external SSH server to do nasty stuff.) Alternatively, any means of
monitoring reverse tunnels would be an improvement.

However, I gathered this is not possible, right now and cannot easily be
added as feature. As far as I am concerned, my question is therefore
answered and we will have to find another solution.


Thanks again to all of you and best regards

Jan Bergner

-- 
________________________________________
*Jan Bergner, M.Sc. *
Software Engineer
 
*indurad GmbH*
*The Industrial Radar Company*
 
Belvedereallee 5
52070 Aachen, Germany
Office: + 49 241 538070-61
Front Desk: + 49 241 538070-0
Fax: + 49 241 538070-99

jan.bergner at indurad.com
www.indurad.com <http://www.indurad.com/>
_______________________________________


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180405/ec529287/attachment.asc>

More information about the openssh-unix-dev mailing list