Limiting SSH reverse tunnels?
From: Patrick Morris (pmorris_at_hermesinfotech.com)
Date: Sat, 24 Sep 2005 07:19:20 -0700 To: firstname.lastname@example.org
Forgive me if this is a stupid question, but Iíve been banging my head
against it and the archives for a while now.
Letís say weíve got two sitesusing OpenSSH (primarily version 3.7.1,
though that's changeable if it helps with this problem): the office, and
the data center. People can SSH from anywhere (including the office) out
to the data center, but not into the office. Corporate rules say you
need to use the sanctioned VPN to get into the office.
Several people have figured out the joys of reverse tunneling, and are
now using SSH tunnels to bypass the corporate VPN get into the office
using tunnels they set up in advance for that purpose.
I donít want to disable SSH tunneling completely; itís actually quite
important that users be able to, say, tunnel an rsync connection through
to a machine at the data center. I donít want them getting into the
office that way, though.
Is there a way to stop SSH from allowing this? Maybe a way to deny
reverse tunneling to office IP address space?
Reiterating the corporate policy ainít working.