SSH Tunneling - security concerns

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all. I'm in need of some ammo here. :-)

We want to use SSH (OpenSSH instead of Citrix, which doesn't do file
transfer in any way we like for starters) to connect to a certain
client from a remote location. (Inter-network comms)

The problem is: They won't allow it. They're convinced SSH is a big
security problem, because of the tunneling features it provides. (They
don't actually know much about SSH i think. They only know it does

My questions are: Can anybody tell me what the potential security
problems with using SSH tunneling (TCP/X11/agent) are, and possibly
how to avoid these problems? I'm trying to get as much information as
i can.

Another question might be: Are there any (dis)advantages of using SSH
instead of Citrix for connecting to a remote network?

Thanks in advance.

Re: SSH Tunneling - security concerns

Quoted text here. Click to load it

They are stupid -- if they allow you to their network, they may as well
allow tunneling. One of those "security through inconvenience" things. But
they can disallow tunnelling for all or for some connections. How to do
that depends on the SSH-server software they use (SSH or OpenSSH), but it
is possible and easy.

Quoted text here. Click to load it

You can make a host on one network (yours) accept connections on a certain
port, and forward them through the encrypted channel to some other
host:port on their network. For instance, they probably use plain telnet to
go from one host to another on their LAN, but don't accept telnet from the
outside of the firewall. If they allow you to ssh to a host inside their
firewall, you can configure a tunnel, that will forward connections to port
10023 on your host (from which you launch the telnet client) to port 23
(telnet) on a host on their LAN.

Again, such tunnels can be disabled by the SSH server, but it is silly,
because you can just launch a telnet once you ssh in. The tunnel itself
will not open a new hole, it will just make exploiting an existing one (if
any) more convenient.

This also works in the other direction -- a host:port combination, that was
not accessible from their LAN before can be made accessible by your tunnel.
Such limitations are surprisingly popular among the less enlightened
sysadmins, who subscribe to the "ban everything, that's not immediately
needed" paradigm.

Quoted text here. Click to load it

Never used Citrix.


Site Timeline