OpenSSH-Client without reverse tunnel ability
Alexander Wuerstlein
arw at cs.fau.de
Thu Apr 5 22:11:47 AEST 2018
On 2018-04-05T14:07, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner at indurad.com> wrote:
> > Hello all.
> >
> > First of all, I want to extend my sincere thanks to all the people who
> > came to the rescue so quickly.
> >
> > In any case, there is obviously room for clarification on my part, so I
> > will try to describe the situation we had in more detail.
> >
> > In short:
> > Employees used the openssh-*client* from *within* our company network to
> > create a *reverse* SSH tunnel, using an *external* SSH-Server. We
> > control the Clients but not the servers.
> > So, we wanted to restrict our *Clients*.
>
> How difficult would it be to leave a scheduled security check to look
> for "ssh[ \t].*-R.*" expressions with "pgrep", and file a security
> abuse report if such processes are seen? It could be worked around,
> but should catch the most blatant abusers.so they can be notified of
> inappropriate behavior.
Additionally, one could grep home directories for relevant configuration
statements in ~/.ssh/config. However that would be necessarily
incomplete, because the other relevant config is ~/.ssh/authorized_keys
on the remote end.
Ciao,
Alexander Wuerstlein.
More information about the openssh-unix-dev
mailing list