Limiting SSH reverse tunnels?

From: Patrick Morris (pmorris_at_hermesinfotech.com)
Date: 09/24/05

  • Next message: D.N.Vaidya: "Re: sftp question"
    Date: Sat, 24 Sep 2005 07:19:20 -0700
    To: secureshell@securityfocus.com
    
    

    Forgive me if this is a stupid question, but Iíve been banging my head
    against it and the archives for a while now.

    Letís say weíve got two sitesusing OpenSSH (primarily version 3.7.1,
    though that's changeable if it helps with this problem): the office, and
    the data center. People can SSH from anywhere (including the office) out
    to the data center, but not into the office. Corporate rules say you
    need to use the sanctioned VPN to get into the office.

    Several people have figured out the joys of reverse tunneling, and are
    now using SSH tunnels to bypass the corporate VPN get into the office
    using tunnels they set up in advance for that purpose.

    I donít want to disable SSH tunneling completely; itís actually quite
    important that users be able to, say, tunnel an rsync connection through
    to a machine at the data center. I donít want them getting into the
    office that way, though.

    Is there a way to stop SSH from allowing this? Maybe a way to deny
    reverse tunneling to office IP address space?

    Reiterating the corporate policy ainít working.


  • Next message: D.N.Vaidya: "Re: sftp question"