Date: Sun, 11 Mar 2001 13:41:33 +0100 From: Gabriel Ambuehl <gabriel_ambuehl@buz.ch> To: freebsd-questions@FreeBSD.ORG Subject: SSH port forwarding: can I deactivate forwarding to remote hosts but still allow it on to the ports on the server? Message-ID: <119597798298.20010311134133@buz.ch>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hello, I'm a bit worried about the port forwarding feature of OpenSSH: while it is definitively cool for many uses (many of them I'm just in the process to think about), I can see one big problem about it: users which only got SFTP enabled for their accounts can still use it which is basically fine (as it would allow for cheap and cheerful secured POP and SMTP services) but it makes me worrying about the fact that they can also forward to a remote host from the server and thus could use it as a proxy for tons of malicious things. For said reasons, I don't want to deactivate it entirely but I'd very like to have it limited to the local ports of the server, i.e. User: IP1 Server: IP2 so the user can only use user@ip1$ ssh -L XX:IP2:YY user@IP2 but not user@ip1$ ssh -L XX:IP3:YY user@IP2 reading through the OpenSSH docs, I only found an option to deactivate the feature completely which is not exactly what I'd want. In theory, this problem could be solved partly [1] by very restrictive firewall but I'd really prefer a solution which stops the trouble before it starts (as the firewall will stop it just after the user wanted to start the trouble). [1] completely isn't possible IMHO since the server needs some outgoing ports open to be able to use DNS and SMTP which the users then could use for his purposes. Best regards, Gabriel -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2i iQEVAwUBOqtkccZa2WpymlDxAQFUBggAvo2Dh0fN8fW6fqiFYyCFuWI8fIoNNsBH NxXv/TYzVu4QyV2iyS+X7s6j3lFyDBz1hrGrnIrA7sDsY7vRUXmlSj6tyVw26FmL kqmvtMBStsAtlGVFGprpCZ6LyLTJvdY9EW1xiv6VGX9Zg0rHlcphzlIqEGudgPDU StEf+f0V7Ig26eck93EY1JnziJySCSMgqUnLPMhg/A9sDVgcYe1iNvKKIcYZMibP vVZX1BTCj66mPf8a//oA6YrLWU5zrfUywySwIff5Cs14wIhXM+PRQ5SzqxLb0tvl rPHrrKpi6UUhvD0ggw54rNiLNnuSlVmPfspQTijEGB1WJifY+QULMg== =+poc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?119597798298.20010311134133>