3

In the man pages for sshd_config, for the AllowTCPForwarding option, it states:

AllowTcpForwarding

Specifies whether TCP forwarding is permitted. The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.

Can someone please elaborate? I do not understand how someone can install their own forwarder to circumvent TcpForwarding. Would one have to install a proxy server of sorts and then create a tunnel to the remote proxy server?

Renan
  • 16,976
  • 8
  • 69
  • 88
Eric B.
  • 635
  • 2
  • 7
  • 11

2 Answers2

5

Well, SSH forwarding is a proxy server of sorts. It works by accepting the connection on one side, then making a connection on the other side, and then forwarding data between the two.

You could easily do this, too. For example, with netcat:

nc -l -p 1234 ⇆ ssh user@remote 'nc remote2 80'

where represents one of the ways to set up a bidirectional pipe. That should more or less do it (ignoring any buffering problems).

It isn't as nice as the built-in one, but of course with a little bit of work in your scripting language of choice, it could be.

Community
  • 1
derobert
  • 107,579
  • 20
  • 231
  • 279
1

User with shell access can easily run sshd with his/her own configuration (which can e.g. allow TCP forwarding) on an unprivileged port. Hence disabling it for the regular system daemon doesn't make much sense, unless you make a ton of other hardening things.

peterph
  • 30,520
  • 2
  • 69
  • 75
  • That's trivially fixed with `iptables -P INPUT -j DROP` (or equivalent) along with rules to allow the traffic you want, of course. Which should be done already on any system where someone would consider turning off AllowTcpForwarding. – derobert Dec 06 '12 at 16:12
  • @derobert Of course, but then you have to set up the firewall (which is the additional hardening I mentioned). You might want to append that in bold to your answer. :) – peterph Dec 06 '12 at 16:27
  • @derobert And that's easily countered by using the official SSH but tunnelling into another SSH listening on localhost. (If you firewall localhost connections a lot of things are going to fail.) – Gilles 'SO- stop being evil' Dec 06 '12 at 23:30
  • @Gilles I may be misunderstanding, but ssh from localhost to localhost (on the remote machine) isn't going to help much in forwarding a port from your local machine. – derobert Dec 07 '12 at 01:12
  • @Gilles If AllowTcpForwarding is disabled though how can the official SSH tunnel into another SSH listening on localhost? I actually tried that but got the ubiquitous "channel 2: open failed: administratively prohibited: open failed" error, indicating (I believe) that the official SSH is unable to forward the connection to a local SSH. – Eric B. Dec 07 '12 at 02:44