limiting scope of reverse port forwarding (-R)

From: Ian! D. Allen (idallen@freenet.carleton.ca)
Date: 11/14/02

Next message: Steven Wilmot: "Re: Why is "ssh -V" written to stderr? I want to separate output and error..."
Previous message: Dimitri Maziuk: "Re: Why is "ssh -V" written to stderr? I want to separate output and error..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: idallen@freenet.carleton.ca (Ian! D. Allen)
Date: Thu, 14 Nov 2002 17:11:04 +0000 (UTC)

My college has firewalled off the campus so that nobody can connect
to anything useful from outside. I have my Linux machines on campus
"calling home" with ssh (via the crontab) to set up reverse tunnels that
let me get back to the on-campus machines, e.g. something like:

ssh -i somekey -l someuser -R 123x:localhost:22 idallen.com

in all the on-campus Linux machines (where "x" differs among machines).

The problem is, I'm using a password-less public key for this connection
(because it's automated from the crontab) and I want to limit what the
connection can do in case someone steals my key on campus.

In the authorized_keys file on idallen.com, using permitopen="host:port",
I can restrict to which ports the clients can forward via -L (effectively
disabling all such ports - I don't want any tunnelled access to
idallen.com from the clients). I can limit the hosts from which I will
accept connections using from="pattern-list".

I see no way of limiting the range of -R ports that a client may use.

Anyone who steals my key on one of my on-campus Linux machines can
connect to idallen.com and listen on any and all ports they want.

Is this the best I can do for reverse-port-forwarding security?

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada   idallen@ncf.ca
       Home Page on the Ottawa FreeNet: http://www.ncf.ca/~aa610/
       College professor at: http://www.algonquincollege.com/~alleni/
       Board Member, TeleCommunities CANADA  http://www.tc.ca/

Next message: Steven Wilmot: "Re: Why is "ssh -V" written to stderr? I want to separate output and error..."
Previous message: Dimitri Maziuk: "Re: Why is "ssh -V" written to stderr? I want to separate output and error..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Is it possible to differentiate RS232 from RS424 using Tcl ?
... should be standard on Linux machines, and you can download it for ... Ports are 'type 8', if you want to search the page for them. ... Also, if you're on Windows, wmi supposedly can tell you about the ... ConnectorType InternalReferenceDesignator PortType ...
(comp.lang.tcl)
Re: ISPs can easily decrease net abuse
... traffic to privileged ports, i.e. the range 0..1023. ... I have a couple of linux machines, not using Samba, so 135..137 isn't ... listening for "remote" syslog output on 192.168.1.255. ...
(comp.security.misc)
Re: Is it possible to differentiate RS232 from RS424 using Tcl ?
... should be standard on Linux machines, and you can download it for ... Ports are 'type 8', if you want to search the page for them. ... Also, if you're on Windows, wmi supposedly can tell you about the ... ConnectorType InternalReferenceDesignator PortType ...
(comp.lang.tcl)