Re: Securing ssh tunnels.
From: Ben Lindstrom (mouring_at_etoh.eviladmin.org)
Date: 06/26/03
- Previous message: Darren Reed: "Re: Securing ssh tunnels."
- In reply to: Darren Reed: "Re: Securing ssh tunnels."
- Next in thread: Brian Hatch: "Re: Securing ssh tunnels."
- Reply: Brian Hatch: "Re: Securing ssh tunnels."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 00:06:37 -0500 (CDT) To: Darren Reed <avalon@caligula.anu.edu.au>
On Thu, 26 Jun 2003, Darren Reed wrote:
[..]
>
> A good example of how transparency leads to security is some movie
> with Richard Gere (set in China) is where he goes into their some
> room in the US embassy where all the walls are see through and it
> is suspended in mid air (kinda). You can see that there aren't any
> bugs in the ceiling or walls of that room.
>
Cute movie, but a bit over down because there are alternate ways to listen
in on a converstation then standard bugs. =)
> Anyway, that's getting beyond the point. Yes, I'm aware of things
> that do multiplexing over telnet sessions, they date back to the
> early 90s (if not earlier), on linux. Their existance isn't the
> problem, it's the perception that ssh is a security hole, that is.
>
> I suppose what I was hoping for as an answer was "here's this encrypted
> telnet-session-like protocol that doesn't support tunnelling" that I
> could sell as being secure from evesdropping when data crosses untrusted
> networks but not a compromise of firewall policy enforcement due to
> there being no default mechanism to support tunnelling. A favourite of
> mine when I have web hassles but can ssh out is to ssh out to somewhere
> that I port forward my browser to an external proxy :)
>
If the issue is port forward you can always disable it at the server side:
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is
``yes''. Note that disabling TCP forwarding does not improve se-
curity unless users are also denied shell access, as they can al-
ways install their own forwarders.
Along with X11Forwarding for X.
There is SSL Telnet, but I have no references to that any more. Kinda a
hack to the original telnet protocol to allow it to be encrypted. There
is also stunnel, but I know zero about that.
BTW, I don't normally hear this as a argument against ssh. I tend to hear
the argument that "our IDS can't ensure what your network may be mistakenly
transfering a virus or being used as an attack." Or (which I encountered
at an old job pre-SSH days) "How do we know your not stealing our code?"
Anyways, the core issue seems to revolve around 'warm fuzzies'. =) And I
guess we all have our own things that make us sleep well at night. I
won't fault them for clinging to their fuzzies.
- Ben
- Previous message: Darren Reed: "Re: Securing ssh tunnels."
- In reply to: Darren Reed: "Re: Securing ssh tunnels."
- Next in thread: Brian Hatch: "Re: Securing ssh tunnels."
- Reply: Brian Hatch: "Re: Securing ssh tunnels."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
