Limiting SSH reverse tunnels?

• Previous message: Ben Ford: "sshd as non root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 Sep 2005 07:19:20 -0700
To: secureshell@securityfocus.com

Forgive me if this is a stupid question, but I’ve been banging my head
against it and the archives for a while now.

Let’s say we’ve got two sitesusing OpenSSH (primarily version 3.7.1,
though that's changeable if it helps with this problem): the office, and
the data center. People can SSH from anywhere (including the office) out
to the data center, but not into the office. Corporate rules say you
need to use the sanctioned VPN to get into the office.

Several people have figured out the joys of reverse tunneling, and are
now using SSH tunnels to bypass the corporate VPN get into the office
using tunnels they set up in advance for that purpose.

I don’t want to disable SSH tunneling completely; it’s actually quite
important that users be able to, say, tunnel an rsync connection through
to a machine at the data center. I don’t want them getting into the
office that way, though.

Is there a way to stop SSH from allowing this? Maybe a way to deny
reverse tunneling to office IP address space?

Reiterating the corporate policy ain’t working.

• Previous message: Ben Ford: "sshd as non root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]