[scponly] scponly users can still use port forwarding
Steven Mocking
mocking at textkernel.nl
Tue May 9 17:19:03 EDT 2006
Apparently, it's still possible for a client to do port forwarding on a
scponly ssh session:
ssh -N -L 9999:host.on.intranet:port scponly at host.on.internet
Which means a remote scponly user could forward connections to any other
systems accessible from the server with scponly. This is not specific
for scponly - any user with an existing shell entry in /etc/passwd can
do this (even /bin/false!).
Hence my question: is there a way to restrict ssh port forwarding to a
specific group of users? Or is running multiple ssh servers the only
solution?
Furthermore, it might be a good idea to mention this in the
documentation. Most people could get away with setting the sshd's
AllowTcpForwarding to "no" anyway (it's set to "yes" by default).
Steven
More information about the scponly
mailing list