having the username for password is yes, almost the biggest retarded idiotism
in 2016, but disabling AllowTcpForwarding by default could help a little and a
little in this case is big.
I hope this admin user doesn't have permission to change shell, etc.. And in
this general case (iot) , they have /sbin/nologin, so hopefully not.
That's why AllowTcpForwarding=no by default could help in general.
heck, it even has a CVE:
Sent: Tuesday, October 18, 2016 at 11:05 AM
From: "Christian Gruhl" <cgr...@uni-kassel.de>
Subject: Re: SSHowDowN
On 10/18/2016 10:56 AM, Peter Janos wrote:
> sometimes I send mails in HTML format, sorry for that, mail.com has this by
> so the PDF also states that the "admin" user had /sbin/nologin for shell
> Note that disabling TCP forwarding does not improve security unless users
> also denied shell access
> so having AllowTcpForwarding=NO would help.
> Why is it yes by default? someone requested it to be yes? does anybody
See the DenyUsers option for sshd_config:
org/OpenBSD-current/man5/sshd_config.5] That should
allow you to prevent
the forwarding as well.
Using tcp forwarding is allows to establish secure tunnels between
systems that are not directly reachable without the need for a full
blown vpn. But this is just my opinion.