On Fri, Aug 21, 2009 at 7:34 AM, Uwe Dippel<[email protected]> wrote:
> Now I am pretty sure that this is what we see here. > It also makes sense, since all those users sit on a tightly controlled LAN; > while that machine is 'further out'. So that restricted services can be > accessed through some tunneling. > Now: How to prevent it?? I have hundreds of users, who can log on from > hundreds of machines, and all need access to ssh, and easily 30 at the same > time. > So, filtering IP addresses is out, nologin is out, no ssh is out. > Of course, I can politely ask, but I would not necessarily trust it to be > followed. I'd much rather disallow it technically. At least, have an easy > access to the record (e.g. in 'last'). But since it doesn't require logon, > what to do? And how to prevent this?? Read the man page for ssh_config(5) and sshd_config(5), and look at restricting what your users can do. Specifically: AllowTcpForwarding, PermitOpen and PermitTunnel, combined with Match.
