Tom Anderson wrote:
I've been asked to disable TCP forwarding on a dozen or so servers,
mostly using openssh 4.3p2, in order to prevent users from bypassing
our firewall rules. I'm somewhat concerned, however, by the following
snippet from the sshd_config manpage.
``Note that disabling TCP forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.''
Unfortunately, denying shell access isn't really an option at present.
I'm trying to explain the risk/limitations to my management, but they
seem to be considering this as some sort of magic
``vulnerable=nevermore'' setting. In other words, they're not
interested unless I can absolutely prove it.
I've been trying to put together an example with ssh and netcat, using
several variations of:
$ nc -l -p 2000 | ssh myhost nc localhost 2000
This has only been partially successful, however, yielding mere one-way
data flow.
That's because the shell pipeline is unidirectional.
I hate to ask, but would anyone be willing to provide a
working example?
ssh -o 'ProxyCommand ssh myhost nc %h %p' internalserver
or, if you build the original netcat with -DGAPING_SECURITY_HOLE on the
client side:
[in window 1]
$ cat fwd
#!/bin/sh
ssh myhost nc localhost 80
$ nc -l -p 1234 -e ./fwd
[in window 2]
$ telnet localhost 1234
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 03 Nov 2 [...]
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
