On 11:47 16 Mar 2002, Gordon Messmer <[EMAIL PROTECTED]> wrote: | On Fri, 2002-03-15 at 09:43, Rick Warner wrote: | > On Fri, 15 Mar 2002, David Talkington wrote: | > > Um ... Rick, you can turn that off. See the sshd man page for | > > AllowTcpForwarding. | > | > Ummm, David, I can turn it off on sshd, not ssh esp. if users can bring | > accumulate their own copies and circumvent my ssh config files. | > Scenario: dangerous user A, who knows enough to do harm but not enough to | > know he is dangerous, decides that Company Z does not allow all the | > protocols he wants to/from his home network.
A good point. | Re-evaluate your need for inbound/outbound SSH. Where I work, for | instance, inbound SSH is allowed only to a small number of trusted | servers. Likewise, but that's not his problem. | You may find that outbound SSH is not necessary, It's very very useful. | or that | the risks involved can be greatly reduced by allowing outbound ssh | from only a single host, which can be used by trusted users. This is a viable approach, often. | > This is why the tunnelling features need to be completely separated, IMHO Actually, that's a waste of effort. You can run an arbitrary protocol over the main ssh connection (i.e. _without_ port forwarding) and thus run a port forward capable protocol (like, gee, I dunno, ssh itself :-) over that. While your category 4 user (see sig quote) may not think of this one, your "rogue" category 1 user may, so your security problem is not fixed with such an approach, merely mildly enhanced. Personally I would opt for the "allow outbound ssh to a set of trusted users" approach if possible. At my workplace we're fairly fortunate; most of our users are either category 1, and thus in the trusted class. Most others are category 3 and can be told why we don't like them to forward whatever weird dangerous protocol they wanted and how to arrange their specific need more safely. Our few category 4 users don't know enough to want ssh outbound. -- Cameron Simpson, DoD#743 [EMAIL PROTECTED] http://www.zip.com.au/~cs/ Men are four: He who knows and knows that he knows; he is wise, follow him. He who knows and knows not that he knows; he is asleep, wake him. He who knows not and knows that he knows not; he is ignorant, teach him. He who knows not and knows not that he knows not; he is a fool, spurn him! _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
