Re: is ssh tunneling a security risk?


Thanks for the comments.

I guess I have two questions then: (1) is the current setup without
tunnel much more secure? and (2) is there another approach that lets me
get work done without the tunnel? Regarding the first, I can see two
scenarios without a tunnel where you would have the same security
problems/advantages. One is where someone gains access to my machine
and then to the intermediary machine. That person then sets up some
program that waits for me to make the second hop and then uses that
somehow (I am just being hypothetical, I don't know how hard this would
be, which is really the question, but I thought keyboard grabbing
programs were a pretty standard part of the hackers toolbox). The other
is that I can imagine it would be possible for me to somehow home brew a
tunnel - once you can connect from A to B to C somehow, is it that
difficult to run a program on A and B that makes connecting A to C

For the second, the real problem is moving files around (though a
graphical interface is occasionally a problem - you can double ssh -X/-Y
I think, but I believe they have blocked this as well). I have limited
disk space on machine B, but need to move large files around. Even if I
had the disk space, moving them twice is a pain that tends to add a lot
of extra time. Does anyone have a suggestion for solving this problem,
even if it is a hack?

And just to be more specific about my security setup, I don't just ssh
to the intermediate machine. First you connect to a website with one
username/password. At that site, you start a java application that
makes a localhost:port ssh connection available that is really to a
machine behind the firewall. Then you authenticate to that machine with
a different username/password. Then you double ssh to the machine you


On Fri, 2008-10-17 at 11:02 -0700, AMuse wrote:
David: Among other tricks which can be played with SSH tunnels (for
good or ill, just the facts) are that if you set up your external host
to do "GatewayPorts yes" and open its firewall, you could accidentally
(or intentionally, from your ITSec groups' point of view) allow anyone
in the world to connect to your external host and traverse your SSH
tunnel, in reverse, to the inside of your corporate LAN.

"Security risk" is always a subjective decision made by your IT Security
group based on your organizations' priorities, assets, data, etc -- but
my guess would be that if they feel it's a risk, it's probably due to
your potential to bypass corporate firewalls for incoming traffic.

David M. Kaplan wrote:

My IT department is really heavy on security. From outside the
building, they have a rather complex system setup so that you can get
around the firewall and ssh into a single machine. From there, you have
to ssh into the machine you want to use.

To simplify things, I have been using a tunnel to hop from my machine
directly (through the tunnel) to the machine I want to use in the
building. This has worked fine until a couple of days ago when IT
decided to prohibit tunneling for "security reasons" (attempting to use
the tunnel now responds with "channel 3: open failed: administratively
prohibited: open failed"). This has made it almost impossible to work
with the system.

What I am wondering is exactly what "security risk" does an ssh tunnel
pose? I thought you used an ssh tunnel to enhance security, not the
other way around. Can someone give me a reason why it is a risk to
leave this open or give me good arguments that I can forward to IT for
why they should not prohibit tunneling?


David M. Kaplan
Charge de Recherche 1
Institut de Recherche pour le Developpement
Centre de Recherche Halieutique Mediterraneenne et Tropicale
av. Jean Monnet
B.P. 171
34203 Sete cedex

Phone: +33 (0)4 99 57 32 27
Fax: +33 (0)4 99 57 32 95

Relevant Pages

  • Re: What is The SSH?
    ... Building and Using SSH Tunnels ... What is an SSH tunnel? ... how to use it to make a connection to a server. ... You will need a working SSH client and server installation to build and test ...
  • Re: Tunnneling?
    ... To setup a tunnel you ... > ask ssh to forward port 80 from the outside machine back behind the ... > Before you forward the port this should give you a remote shell from the ...
  • Re: Real Survivalists Dont Do Windoze
    ... I'm on a Red Hat Linux laptop running TightVNC over a ssh tunnel ... 'Source port' is your port of choice for your VNC-client to connect. ...
  • RE: HOWTO Ping LAN???
    ... SSH to the box, and tunnel to other internal machines ... > network is by tunneling. ...
  • SSH TCP forwarding: works with v1, not with v2 ssh
    ... that they're setting up the tunnels with no problem, ... I can get to the work ssh daemon: ... debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 ... something answers (if I get "connection refused" there's no listener); ...