Re: disabling of TCP forwarding ineffective?

Hi all,
Maybe this(proxy ssh through ssh):
ssh yourhost -oProxyCommand='ssh myhost nc %h %p'

On Wed, 1 Nov 2006, Tom Anderson wrote:

> I've been asked to disable TCP forwarding on a dozen or so servers,
> mostly using openssh 4.3p2, in order to prevent users from bypassing
> our firewall rules.  I'm somewhat concerned, however, by the following
> snippet from the sshd_config manpage.
>
> ``Note that disabling TCP forwarding does not improve security unless
> users are also denied shell access, as they can always install their
> own forwarders.''
>
> Unfortunately, denying shell access isn't really an option at present.
> I'm trying to explain the risk/limitations to my management, but they
> seem to be considering this as some sort of magic
> ``vulnerable=nevermore'' setting.  In other words, they're not
> interested unless I can absolutely prove it.
>
> I've been trying to put together an example with ssh and netcat, using
> several variations of:
>
>         $ nc -l -p 2000 | ssh myhost nc localhost 2000
>
> This has only been partially successful, however, yielding mere one-way
> data flow.  I hate to ask, but would anyone be willing to provide a
> working example?  It doesn't need to be particularly fancy, as I just
> need to demonstrate this is possible.  My concern is to ensure that
> management understands this isn't a cure-all, and to document the
> possibility in writing as a CYA measure.
>
>
>
>
> ____________________________________________________________________________________
> Want to start your own business? Learn how on Yahoo! Small Business
> (http://smallbusiness.yahoo.com)