Re: SSH Tunneling - security concerns

From: Mikhail Teterin (usenet_at_aldan.algebra.com)
Date: 06/07/04

• Next message: Gregory Cain: "tar backup/ssh problem"
• Previous message: Alexander Malkis: ""Connection to ... closed by remote host" - what to do?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 07 Jun 2004 12:32:51 -0400

Martijn Bruns wrote in <f9831c2e.0406070526.63848c@posting.google.com>:

> The problem is: They won't allow it. They're convinced SSH is a big
> security problem, because of the tunneling features it provides. (They
> don't actually know much about SSH i think. They only know it does
> "tunneling".)

They are stupid -- if they allow you to their network, they may as well
allow tunneling. One of those "security through inconvenience" things. But
they can disallow tunnelling for all or for some connections. How to do
that depends on the SSH-server software they use (SSH or OpenSSH), but it
is possible and easy.

> My questions are: Can anybody tell me what the potential security
> problems with using SSH tunneling (TCP/X11/agent) are, and possibly
> how to avoid these problems? I'm trying to get as much information as
> i can.

You can make a host on one network (yours) accept connections on a certain
port, and forward them through the encrypted channel to some other
host:port on their network. For instance, they probably use plain telnet to
go from one host to another on their LAN, but don't accept telnet from the
outside of the firewall. If they allow you to ssh to a host inside their
firewall, you can configure a tunnel, that will forward connections to port
10023 on your host (from which you launch the telnet client) to port 23
(telnet) on a host on their LAN.

Again, such tunnels can be disabled by the SSH server, but it is silly,
because you can just launch a telnet once you ssh in. The tunnel itself
will not open a new hole, it will just make exploiting an existing one (if
any) more convenient.

This also works in the other direction -- a host:port combination, that was
not accessible from their LAN before can be made accessible by your tunnel.
Such limitations are surprisingly popular among the less enlightened
sysadmins, who subscribe to the "ban everything, that's not immediately
needed" paradigm.

> Another question might be: Are there any (dis)advantages of using SSH
> instead of Citrix for connecting to a remote network?

Never used Citrix.

        -mi

• Next message: Gregory Cain: "tar backup/ssh problem"
• Previous message: Alexander Malkis: ""Connection to ... closed by remote host" - what to do?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: What is The SSH? ... Building and Using SSH Tunnels ... What is an SSH tunnel? ... how to use it to make a connection to a server. ... You will need a working SSH client and server installation to build and test ... (microsoft.public.windows.server.networking) forcing ssh-tunnel in authorized_keys ... What I want to do is, that a user opens a tunnel with ssh and the ssh-server ... tells him at which host the tunnel ends. ... (comp.security.ssh) RE: HOWTO Ping LAN??? ... SSH to the box, and tunnel to other internal machines ... > network is by tunneling. ... (freebsd-questions) SSH TCP forwarding: works with v1, not with v2 ssh ... that they're setting up the tunnels with no problem, ... I can get to the work ssh daemon: ... debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 ... something answers (if I get "connection refused" there's no listener); ... (FreeBSD-Security) Re: Help with VNC Please.... ... I don't use VNC through a SSH tunnel but I have used Remote Desktop through a SSH tunnel in the past. ... Al Jarvi (MS-MVP Windows Networking) ... (microsoft.public.windowsxp.work_remotely)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint