having the username for password is yes, almost the biggest retarded idiotism in 2016, but disabling AllowTcpForwarding by default could help a little and a little in this case is big.
I hope this admin user doesn't have permission to change shell, etc.. And in this general case (iot) , they have /sbin/nologin, so hopefully not. That's why AllowTcpForwarding=no by default could help in general. heck, it even has a CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1653 Sent: Tuesday, October 18, 2016 at 11:05 AM From: "Christian Gruhl" <cgr...@uni-kassel.de> To: misc@openbsd.org Subject: Re: SSHowDowN On 10/18/2016 10:56 AM, Peter Janos wrote: > sometimes I send mails in HTML format, sorry for that, mail.com has this by > default.. > > so the PDF also states that the "admin" user had /sbin/nologin for shell > > ------------------ > http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5 ... > Note that disabling TCP forwarding does not improve security unless users are > also denied shell access > > so having AllowTcpForwarding=NO would help. > > Why is it yes by default? someone requested it to be yes? does anybody know? > > Thanks. See the DenyUsers option for sshd_config: http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5[http://man.openbsd. org/OpenBSD-current/man5/sshd_config.5] That should allow you to prevent the forwarding as well. Using tcp forwarding is allows to establish secure tunnels between systems that are not directly reachable without the need for a full blown vpn. But this is just my opinion.