From owner-freebsd-security Thu Mar 1 11:13:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 1993337B719 for ; Thu, 1 Mar 2001 11:13:52 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA12290; Thu, 1 Mar 2001 12:13:50 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA20194; Thu, 1 Mar 2001 12:13:49 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <15006.40813.304297.252608@nomad.yogotech.com> Date: Thu, 1 Mar 2001 12:13:49 -0700 (MST) To: naddy@mips.inka.de (Christian Weisgerber) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks In-Reply-To: <97m0uf$2gj$1@kemoauc.mips.inka.de> References: <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> <20010301004422.B14501@mollari.cthul.hu> <97m0uf$2gj$1@kemoauc.mips.inka.de> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Yep. Note, the commercial version SSH1 had the ability to turn o= n/off > > > port forwarding on a per-user and/or a per-port options. > >=20 > > I can't even find mention of this in the ssh.com version >=20 > Because Nate's wrong. Yl=F6nen-SSH1 only has a global AllowTcpForwar= ding > switch, as has OpenSSH. Believe what you want. I've got sources that prove your wrong. The JD= K CVS repository was using this feature for 18 months (until I quit my former job) to only allow people to port forward CVS-Pserver requests, but disallow all other forwarding requests. FWIW, we used 'f-secure-ssh-1.3.2' .nr CO 1 .ie \n(CO .TH SSHD 8 "November 8, 1995" "F-SECURE SSH" "F-SECURE SSH" .el .TH SSHD 8 "November 8, 1995" "SSH" "SSH" [ SNIP ] .B AllowForwardingPort This keyword can be followed by any number of port numbers, separated [ SNIP ] .TP .B AllowForwardingTo This keyword can be followed by any number of hostname and port number [ SNIP ] .B DenyForwardingPort This keyword can be followed by any number of port numbers, separated [ SNIP ] .B DenyForwardingTo This keyword can be followed by any number of hostname and port number You *obviously* don't know what you're talking about. Be careful about= what you say on public mailing lists... > It's Yl=F6nen-SSH2 that offers the more > fine-grained {Allow,Deny}TcpForwardingFor{Users,Groups} option set. Unfortunately, the SSH2 product did *NOT* allow fine grained options to= be set in the version we bought, 'f-secure-ssh-2.0.12.1'. > I don't see a way to control forwarding per port. Well, since you claim to be an expert, I'll let you find it yourself. > I guess it wouldn't be very hard to add these options to OpenSSH, > as you should be able to reuse the existing {Allow,Deny}{Users,Groups= } > and AllowTcpForwarding code. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message