disable port forwarding in OpenSSH
Jason Stone
jason at shalott.net
Wed Sep 19 09:19:47 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> One more question: in order to offer mail-only access to the server I
> would like to run sshd with 'AllowTcpForwarding no' and with 'pine'
> instead of a shell. Is it believed safe way? Would that be possible
> for users to access ports or any stuff other than 'pine' in this
> configuration?
Many people have successfully used custom restricted shells that only
allow one or a small number of commands to be run upon login - you
shouldn't have a problem with that.
In the case of pine, be sure to disable the ability to jump to a shell in
the fixed config file, usually /usr/local/etc/pine.conf.fixed.
(echo 'feature-list=no-enable-suspend' >> /usr/local/etc/pine.conf.fixed)
Also be aware that pine has an awful history of security problems,
exploitable buffer overruns, etc, and that it would probablly be pretty
easy for a malicious user to send himself a message that would cause his
pine to jump to a shell.... Maybe you want to consider mutt with
pine-like bindings instead....
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE7p9aXswXMWWtptckRAmGNAKCuYWqCdDNsKAI1UFlccLlLPPPR6QCfWOfu
NShNphvkSKxbkiUhKdCgm3w=
=i6Hl
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list