On 10/18/2016 10:56 AM, Peter Janos wrote: > sometimes I send mails in HTML format, sorry for that, mail.com has this by > default.. > > so the PDF also states that the "admin" user had /sbin/nologin for shell > > ------------------ > http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5 ... > Note that disabling TCP forwarding does not improve security unless users are > also denied shell access > > so having AllowTcpForwarding=NO would help. > > Why is it yes by default? someone requested it to be yes? does anybody know? > > Thanks.
See the DenyUsers option for sshd_config: http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5 That should allow you to prevent the forwarding as well. Using tcp forwarding is allows to establish secure tunnels between systems that are not directly reachable without the need for a full blown vpn. But this is just my opinion.
