>
> -----Original Message-----
> From: IBM TCP/IP List [mailto:[EMAIL PROTECTED] On Behalf Of
> Josef Berger
> Sent: Wednesday, August 09, 2006 2:48 AM
> To: [EMAIL PROTECTED]
> Subject: Security risk on SSH tunneling
>
> Hello all,
>
> on our tests on z/OS1.6 SSH Server, we have found, if
"AllowTcpForwarding"
> is set to yes on the z/OS 1.6 SSH Server configuration there is no way to
> limit to IP-Address ranges or ports, when using ssh tunneling. It's only
> possible to limit on Users with the "AllowUsers" Option.
> SSH server doesn't ask RACF for Stackacces or Portaccess !!.
> Any advice how we can limit the access to specific IP-Stacks and Ports
would
> be very welcome.
>
> regards
> Josef
>
Hi Josef,
STACKACCESS and PORTACCESS does occur, but perhaps not where you
suspect. For example, if you are forwarding a TCP connection through the
OpenSSH daemon (with privilege separation enabled), the listening process
is user-privileged (i.e. the privileges of the logged-in authenticated
user) and listening on the loopback address (with the user-specified port.)
If you don't have privilege separation enabled, then your daemon process is
UID 0, but that should only impact whether or not you'd be able to forward
a low (reserved) port. Any forwarding that occurs through the ssh client
side (i.e. the ssh client is the proxy server) are always user-privileged
(whatever privileges the ssh client is running under.)
If you disabled a port because the protocol using that port was not secure
(perhaps data was not being encrypted), then forwarding that data over an
SSH connection may alleviate the security concern that caused you to
disallow that protocol in the first place. If the issue isn't security but
some site-policy regarding application usage, then you may want to consider
just disabling TCP forwarding. If you have some other requirement where
you want more granularity for TCP forwarding, or if what I discussed above
doesn't alleviate your issue, please e-mail me directly so I can get more
information on your setup.
Best regards,
Erin Farr
z/OS UNIX System Services Development
[EMAIL PROTECTED]
Information about OpenSSH on z/OS can be found in The IBM Ported Tools for
z/OS User's Guide:
http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html
/* NOTE: cross-posted to both IBMTCP-L and IBM-MAIN */
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
