Re: Securing ssh tunnels.

From: Darren Reed (avalon_at_caligula.anu.edu.au)
Date: 06/27/03

  • Next message: Roy S. Rapoport: "Re: Securing ssh tunnels." 
    To: ichavero@uach.mx (Ivan Chavero)
Date: Fri, 27 Jun 2003 10:19:22 +1000 (Australia/ACT)

    In some mail from Ivan Chavero, sie said:
    >
    >
    > El mar, 24-06-2003 a las 19:54, Darren Reed escribió:
    > > ie. with ssh tunneling there is very little real access control on
    > > network data between the two systems and unlike plain text protocols
    > > which can be proxied to ensure correctness of content, this is not
    > > possible with ssh tunnels.
    >
    > can you explain this, what are you referring to when you say "real
    > access control on network data"?

    You cannot control what gets tunnelled inside of ssh.

    Allowing ssh through is, in some ways, like saying allow any tcp
    connection to an outside host. There's no control over what
    connections can and cannot be made by the firewall.

    > > Has anyone else come across this sort of reasoning ?
    > >
    > > What do you use for secure (encrypted) shell access when you do ?
    > >
    > > Mind you, I don't dispute it, it's just inconvienent.
    > >
    > > Darren
    > >
    >
    > i use secure shell it's pretty flexible and you can make secure
    > conecctions of almost anything (ene trhough i could be wrong i'm only
    > begginig to explore more posibilities of ssh on other things besides
    > remote shell sessions or command execution)

    This is the exact problem: "can make secure conecctions of almost anything".

    What use is a firewall for restricting connections if something
    like ssh is providing an easy conduit, not to mention an it being
    opaque, for every connection that you would otherwise block to go
    through ?

    Darren

  • Next message: Roy S. Rapoport: "Re: Securing ssh tunnels."

    Relevant Pages

    • Establish persistant outbound connection for covert application
      ... other ACLs that prevent us from connecting into the suspect machine. ... To tackle this problem I have been able to setup SSH tunneling and ... making the suspects computer establish the SSH connection to our ... connection) to awaiting connection server or service for redirection. ...
      (Security-Basics)
    • Re: SSH tunnel for ssh traffic
      ... I need to ssh to some remote VM that sit in a private LAN. ... service I'd use ssh tunneling just normal. ... You could use a nonstandard port for the connection. ...
      (Fedora)
    • Re: [RFC][PATCH 8/8] SLIM: documentation
      ... still use ssh to log in to remove machines? ... network be able to read that file? ... simply labeling an ssh private key as USER-SENSITIVE would be safe, ... This is still much better than discretionary access control, ...
      (Linux-Kernel)
    • Re: SSH tunnel for ssh traffic
      ... I need to ssh to some remote VM that sit in a private LAN. ... service I'd use ssh tunneling just normal. ... You could use a nonstandard port for the connection. ...
      (Fedora)
    • Re: Newbie question: problems setting DISPLAY to X server
      ... >> access control disabled, clients can connect from any host ... > configured to accept TCP connections. ... > local .Xauthority to your home directory on the remote machine. ... just switched to ssh -X for my remote X app needs. ...
      (comp.os.linux.misc)