Hello, in man sshd_config there's written (see also thread "disabling of TCP forwarding ineffective?" started on Wed, 1 Nov 2006 17:09:36 -0800 (PST)):
| AllowTcpForwarding | | Specifies whether TCP forwarding is permitted. The default is “yes”. | Note that disabling TCP forwarding does not improve security unless | users are also denied shell access, as they can always install their | own forwarders. What's the easiest way to install such a forwarder? It shall support the ``local “dynamic” application-level port forwarding'' (man sshd), see option -D for ssh. Here some details (LH == local host, RH == remote host): - An ordinary user can establish ssh connections from LH to RH, but configuration of sshd on remote_host has set AllowTcpForwarding=No. - On LH there's an application LA which listens on a given port and provides a SOCKS4 interface. - On RH there's an application RA which operates on standard input and output like a typical daemon that can be launchend by inetd. Actually RA will be launched by ssh -t. - The services provided by LA will be executed by RA. So there must be some bidirectional transfer between LA and RA via ssh -t. Are there already applications LA and RA like above? Or are there similiar applications, which can easily be enhanced by configuration or programming? I think the hacks mentioned in the thread "disabling of TCP forwarding ineffective?" are not a sufficient solution, because: - netcat works as a one shot server, but a continual server is needed - a SOCKS interface is needed rather than just a simple port forwarding Just an idea: maybe there's somewhere a variant of SSHD which differs to the original SSHD in these features: - The variant can be configured also by the user, not only by root (somewhat a local sshd_config). - Login is not needed. That is done by the original SSH connection. - Even encryption is not needed for the same reason. TCP forwarding is the feature that shall definitively stay. If you feel that I'm posting to the wrong list, can anyone recommend me a better one, please? Regards Thomas
