ssh a security threat?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm trying to convince the network guy at the company I work for to
open a hole in the firewall for ssh connections going out, i.e., from
our side to external sites (but not connections coming the other way).

He said that would be dangerours, because when you connect to an
external site, you allow that site to, and I quote him, "do things" in
your machine, by "tunneling back" through the connection you opened.

I know that just by connecting somewhere you do not open doors in your
own box (or web browsing would be a rather risky proposition), but I
didn't know how to tell that to him, particularly because I couldn't
explain how exporting X back to your own machine works (yes, I should
say we're talking unix here).

Could this list, in its wisdom :), clarify in the most concise manner
why ssh wouldn't be a security vulnerability if used as I described,
including explaining the X forwarding thing. Or if it is a liability,

Incidentally, they do allow ftp and telnet connections out (but no
ssh), through a gatekeeper style proxy (connect to the gatekeeper and
connect out from there). And, btw, I am able to connect to external
ssh servers by using a small program, connect.c (don't have a link


Re: ssh a security threat?

crazy-guy999 wrote:

Quoted text here. Click to load it

Well, web browsing *is* a rather risky proposition.

Quoted text here. Click to load it

Brian Hatch has written a series of articles that answer your

X forwarding is optional.

Elvis Notargiacomo  master AT barefaced DOT cheek /
    7.031: OnACPower returned value( 0x1 ) which is Equal To 0x1

Re: ssh a security threat?

Quoted text here. Click to load it

Fair enough.

Depending on your SSH client settings, this may be true.  X tunnelling or port
forwarding can allow this.  By design, and optional :)

Quoted text here. Click to load it

Read some recent security advisories - web browsing IS a rather risky

Quoted text here. Click to load it

You shouldn't do X forwarding to an untrusted host, IMO.  I'm no export on X
security, but allowing remote machines to open windows or touch my desktop is
scary unless I know exactly what's there.

Quoted text here. Click to load it

Oh, problem solved then.  I was going to suggest that if they want to allow
SSH terminal but not ssh port or X forwarding, they could set up a gateway
host with those options disabled.  SSH to the gateway, then ssh from there to
the outside world.

And of course, like all of these discussions, the question is often more
political than technical.  It's a question of how much the employer trusts
you, and how much freedom they think you need to do your job.  I recommend
leaving if you don't like the way they run their business.
Mark Rafn    <

Site Timeline