Your implication is that it is safe to allow ssh to pass through the firewall from untrusted inside hosts/users today, but will become hopelessly less so after openssh implements more functional tunnels, and that the openssh team should therefore not provide such functionality.

However, your first implication is simply false - if you, as firewall admin, are allowing ssh from inside hosts today on tcp/22 due to the presumption that those connections are ONLY used for ssh or ONLY used for textual connections, then you are already making a mistake.

SSH already allows tunneling arbitrary ports. There are in turn many ways to funnel entire networks through those single-port tunnels already, so the assumption that this is an increase in exposure is false.

On the other hand there are good reasons to appreciate the increased functionality in openssh. It's just one more tool in the hands of Unix users, and the more tools we have the more flexibility we have. I'm looking forward to the new version, and I really appreciate the effort of the developers.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/375/32845#32845