OpenSSH-Client without reverse tunnel ability
Nico Kadel-Garcia
nkadel at gmail.com
Thu Apr 5 22:04:43 AEST 2018
On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner at indurad.com> wrote:
> Hello all.
>
> First of all, I want to extend my sincere thanks to all the people who
> came to the rescue so quickly.
>
> In any case, there is obviously room for clarification on my part, so I
> will try to describe the situation we had in more detail.
>
> In short:
> Employees used the openssh-*client* from *within* our company network to
> create a *reverse* SSH tunnel, using an *external* SSH-Server. We
> control the Clients but not the servers.
> So, we wanted to restrict our *Clients*.
How difficult would it be to leave a scheduled security check to look
for "ssh[ \t].*-R.*" expressions with "pgrep", and file a security
abuse report if such processes are seen? It could be worked around,
but should catch the most blatant abusers.so they can be notified of
inappropriate behavior.
I'm not sure what is available for you if you're using OpenBSD or BSD
based operating systems, but for Linux RedHat had a bug report for
SELinux at https://bugzilla.redhat.com/show_bug.cgi?id=656813
explaining how they'd accidentally disabled port forwarding with
SELinux. Perhaps that could help you?
Nico Kadel-Garcia <nkadel at gmail.com>
More information about the openssh-unix-dev
mailing list