in man sshd_config there's written (see also thread "disabling of TCP
forwarding ineffective?" started on Wed, 1 Nov 2006 17:09:36 -0800
(PST)):
| AllowTcpForwarding
|
| Specifies whether TCP forwarding is permitted. The default is ¡Èyes¡É.
| Note that disabling TCP forwarding does not improve security unless
| users are also denied shell access, as they can always install their
| own forwarders.
What's the easiest way to install such a forwarder? It shall support
the ``local ¡Èdynamic¡É application-level port forwarding'' (man
sshd), see option -D for ssh.
Here some details (LH == local host, RH == remote host):
- An ordinary user can establish ssh connections from LH to RH, but
configuration of sshd on remote_host has set AllowTcpForwarding=No.
- On LH there's an application LA which listens on a given port and
provides a SOCKS4 interface.
- On RH there's an application RA which operates on standard input and
output like a typical daemon that can be launchend by inetd.
Actually RA will be launched by ssh -t.
- The services provided by LA will be executed by RA. So there must be
some bidirectional transfer between LA and RA via ssh -t.
Are there already applications LA and RA like above? Or are there
similiar applications, which can easily be enhanced by configuration
or programming?
I think the hacks mentioned in the thread "disabling of TCP forwarding
ineffective?" are not a sufficient solution, because:
- netcat works as a one shot server, but a continual server is needed
- a SOCKS interface is needed rather than just a simple port
forwarding
Just an idea: maybe there's somewhere a variant of SSHD which differs
to the original SSHD in these features:
- The variant can be configured also by the user, not only by root
(somewhat a local sshd_config).
- Login is not needed. That is done by the original SSH connection.
- Even encryption is not needed for the same reason. TCP forwarding is
the feature that shall definitively stay.
If you feel that I'm posting to the wrong list, can anyone recommend
me a better one, please?
in man sshd_config there's written (see also thread "disabling of TCP
forwarding ineffective?" started on Wed, 1 Nov 2006 17:09:36 -0800
(PST)):
| AllowTcpForwarding
|
| Specifies whether TCP forwarding is permitted. The default is ¡Èyes¡É.
| Note that disabling TCP forwarding does not improve security unless
| users are also denied shell access, as they can always install their
| own forwarders.
What's the easiest way to install such a forwarder? It shall support
the ``local ¡Èdynamic¡É application-level port forwarding'' (man
sshd), see option -D for ssh.
Here some details (LH == local host, RH == remote host):
- An ordinary user can establish ssh connections from LH to RH, but
configuration of sshd on remote_host has set AllowTcpForwarding=No.
- On LH there's an application LA which listens on a given port and
provides a SOCKS4 interface.
- On RH there's an application RA which operates on standard input and
output like a typical daemon that can be launchend by inetd.
Actually RA will be launched by ssh -t.
- The services provided by LA will be executed by RA. So there must be
some bidirectional transfer between LA and RA via ssh -t.
Are there already applications LA and RA like above? Or are there
similiar applications, which can easily be enhanced by configuration
or programming?
I think the hacks mentioned in the thread "disabling of TCP forwarding
ineffective?" are not a sufficient solution, because:
- netcat works as a one shot server, but a continual server is needed
- a SOCKS interface is needed rather than just a simple port
forwarding
Just an idea: maybe there's somewhere a variant of SSHD which differs
to the original SSHD in these features:
- The variant can be configured also by the user, not only by root
(somewhat a local sshd_config).
- Login is not needed. That is done by the original SSH connection.
- Even encryption is not needed for the same reason. TCP forwarding is
the feature that shall definitively stay.
If you feel that I'm posting to the wrong list, can anyone recommend
me a better one, please?
Regards
Thomas
[ reply ]