having the username for password is yes, almost the biggest retarded idiotism
in 2016, but disabling AllowTcpForwarding by default could help a little and a
little in this case is big.

I hope this admin user doesn't have permission to change shell, etc.. And in
this general case (iot) , they have /sbin/nologin, so hopefully not.

That's why AllowTcpForwarding=no by default could help in general.  

heck, it even has a CVE:

Sent: Tuesday, October 18, 2016 at 11:05 AM
From: "Christian Gruhl" <cgr...@uni-kassel.de>
To: misc@openbsd.org
Subject: Re: SSHowDowN
On 10/18/2016 10:56 AM, Peter Janos wrote:
> sometimes I send mails in HTML format, sorry for that, mail.com has this by
> default..
> so the PDF also states that the "admin" user had /sbin/nologin for shell
> ------------------
> http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
> Note that disabling TCP forwarding does not improve security unless users
> also denied shell access
> so having AllowTcpForwarding=NO would help.
> Why is it yes by default? someone requested it to be yes? does anybody
> Thanks.

See the DenyUsers option for sshd_config:
org/OpenBSD-current/man5/sshd_config.5] That should
allow you to prevent
the forwarding as well.

Using tcp forwarding is allows to establish secure tunnels between
systems that are not directly reachable without the need for a full
blown vpn. But this is just my opinion.

Reply via email to