Re: Securing ssh tunnels.
From: Darren Reed (avalon_at_caligula.anu.edu.au)
To: email@example.com (Ivan Chavero) Date: Fri, 27 Jun 2003 10:19:22 +1000 (Australia/ACT)
In some mail from Ivan Chavero, sie said:
> El mar, 24-06-2003 a las 19:54, Darren Reed escribió:
> > ie. with ssh tunneling there is very little real access control on
> > network data between the two systems and unlike plain text protocols
> > which can be proxied to ensure correctness of content, this is not
> > possible with ssh tunnels.
> can you explain this, what are you referring to when you say "real
> access control on network data"?
You cannot control what gets tunnelled inside of ssh.
Allowing ssh through is, in some ways, like saying allow any tcp
connection to an outside host. There's no control over what
connections can and cannot be made by the firewall.
> > Has anyone else come across this sort of reasoning ?
> > What do you use for secure (encrypted) shell access when you do ?
> > Mind you, I don't dispute it, it's just inconvienent.
> > Darren
> i use secure shell it's pretty flexible and you can make secure
> conecctions of almost anything (ene trhough i could be wrong i'm only
> begginig to explore more posibilities of ssh on other things besides
> remote shell sessions or command execution)
This is the exact problem: "can make secure conecctions of almost anything".
What use is a firewall for restricting connections if something
like ssh is providing an easy conduit, not to mention an it being
opaque, for every connection that you would otherwise block to go