On 10/18/2016 10:56 AM, Peter Janos wrote:
> sometimes I send mails in HTML format, sorry for that, mail.com has this by
> default..
> 
> so the PDF also states that the "admin" user had /sbin/nologin for shell
> 
> ------------------
> http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
...
> Note that disabling TCP forwarding does not improve security unless users are
> also denied shell access
> 
> so having AllowTcpForwarding=NO would help.
> 
> Why is it yes by default? someone requested it to be yes? does anybody know?
> 
> Thanks.

See the DenyUsers option for sshd_config:
http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5 That should
allow you to prevent
the forwarding as well.

Using tcp forwarding is allows to establish secure tunnels between
systems that are not directly reachable without the need for a full
blown vpn. But this is just my opinion.

Reply via email to