Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- ssh a security threat?
October 19, 2004, 10:32 pm
rate this thread
open a hole in the firewall for ssh connections going out, i.e., from
our side to external sites (but not connections coming the other way).
He said that would be dangerours, because when you connect to an
external site, you allow that site to, and I quote him, "do things" in
your machine, by "tunneling back" through the connection you opened.
I know that just by connecting somewhere you do not open doors in your
own box (or web browsing would be a rather risky proposition), but I
didn't know how to tell that to him, particularly because I couldn't
explain how exporting X back to your own machine works (yes, I should
say we're talking unix here).
Could this list, in its wisdom :), clarify in the most concise manner
why ssh wouldn't be a security vulnerability if used as I described,
including explaining the X forwarding thing. Or if it is a liability,
Incidentally, they do allow ftp and telnet connections out (but no
ssh), through a gatekeeper style proxy (connect to the gatekeeper and
connect out from there). And, btw, I am able to connect to external
ssh servers by using a small program, connect.c (don't have a link
- all mail refused
October 19, 2004, 10:53 pm
Re: ssh a security threat?
Well, web browsing *is* a rather risky proposition.
Brian Hatch has written a series of articles that answer your
X forwarding is optional.
Elvis Notargiacomo master AT barefaced DOT cheek
7.031: OnACPower returned value( 0x1 ) which is Equal To 0x1
Re: ssh a security threat?
Depending on your SSH client settings, this may be true. X tunnelling or port
forwarding can allow this. By design, and optional :)
Read some recent security advisories - web browsing IS a rather risky
You shouldn't do X forwarding to an untrusted host, IMO. I'm no export on X
security, but allowing remote machines to open windows or touch my desktop is
scary unless I know exactly what's there.
Oh, problem solved then. I was going to suggest that if they want to allow
SSH terminal but not ssh port or X forwarding, they could set up a gateway
host with those options disabled. SSH to the gateway, then ssh from there to
the outside world.
And of course, like all of these discussions, the question is often more
political than technical. It's a question of how much the employer trusts
you, and how much freedom they think you need to do your job. I recommend
leaving if you don't like the way they run their business.
Mark Rafn email@example.com <http://www.dagon.net/
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum