search for: permittunnel

...scripts monitoring the very-verbose output of SSH or doing DPI? > > Alternatively, would it be possible to add a config option, allowing an > > administrator to disable reverse port forwarding or limit it's destinations? > > But, may be a combination of MATCH blocks with > PermitTunnel can be useful? > According your needs, something like: > > PermitTunnel no #(default) > Match Address other.corp.site.IP,123.123.123.123 > PermitTunnel Ethernet > Match group admin1 > PermitTunnel point-to-point > Match user root > PermitTunnel yes Yes, but Permi...

https://bugzilla.mindrot.org/show_bug.cgi?id=2272 Bug ID: 2272 Summary: Global "PermitTunnel Yes" required to connect to a tunnel Product: Portable OpenSSH Version: 6.6p1 Hardware: amd64 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unas...

Good day! A few weeks ago, we had a security breach in the company I'm working for, because employees used "ssh -R" to expose systems from our internal network to some SSH server in the outer world. Of course, this is a breach of our internal security policy, but lead us to wonder, whether there is a technical solution to prevent our users from creating SSH-reverse-tunnels. After

>> the fact that ssh insists on tap* and tun* tun/tap-device-names is a >> real nag and prevents from nice and easy solutions in some cases. > > Could you offer some examples? some client: ssh -o "Tunnel Ethernet" -w any office next client: ssh -o "Tunnel Ethernet" -w any office ...and so forth. interface configuration on the hub for all clients:

...f SSH or doing DPI? > >> > Alternatively, would it be possible to add a config option, allowing an > >> > administrator to disable reverse port forwarding or limit it's destinations? > >> > >> But, may be a combination of MATCH blocks with > >> PermitTunnel can be useful? > >> According your needs, something like: > >> > >> PermitTunnel no #(default) > >> Match Address other.corp.site.IP,123.123.123.123 > >> PermitTunnel Ethernet > >> Match group admin1 > >> PermitTunnel point-to-poin...

...to instal and configure sidedoor on A. I have written some docs on securing B which is mostly: 1. append to /etc/ssh/sshd_config (user is from sidedoor.yml) Match User {user} MaxSessions 60 PasswordAuthentication no ChrootDirectory %h X11Forwarding no AllowTcpForwarding yes PermitTunnel no PermitTTY no Banner none ForceCommand /bin/false https://salsa.debian.org/debconf-video-team/ansible/merge_requests/184 Those options are from me reading the docs and collecting tips i found on internet. A friend pointed out "be aware sftp is likely enabled." Once I hav...

...config file (just the important and changed parts): PasswordAuthentication no Subsystem sftp /usr/lib/openssh/sftp-server # Subsystem sftp internal-ftp Match User developer ChrootDirectory %h ForceCommand internal-sftp PasswordAuthentication yes AllowTcpForwarding no PermitTunnel no X11Forwarding no I'm using Trisquel 7, which should be identical to Ubuntu 14.04. Thank you!

Am 05.04.2018 um 14:11 schrieb Alexander Wuerstlein: > On 2018-04-05T14:07, Nico Kadel-Garcia <nkadel at gmail.com> wrote: >> How difficult would it be to leave a scheduled security check to >> look for "ssh[ \t].*-R.*" expressions with "pgrep", and file a >> security abuse report if such processes are seen? It could be >> worked around, but

http://bugzilla.mindrot.org/show_bug.cgi?id=1180 Summary: Add finer-grained controls to sshd Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dtucker at

...BSD's > OpenSSH 4.3 (OpenBSD as the server) with VPN working. I get stuck when > I've created the tun interfaces on both sides and everything seems OK. > Tiger doesn't come with tun/tap support so I had to get > http://www-user.rhrk.uni-kl.de/~nissler/tuntap/. > > PermitTunnel is set to yes and tun0 got: > > tun0: flags=51<UP,POINTOPOINT,RUNNING> mtu 3000 > groups: tun > inet 192.168.1.1 --> 192.168.1.2 netmask 0xfffffffc > > > > I tried the following from my Mac, with -v: > > voltaire ~ # ssh -vfw 0:1 argus tru...

...54.253.20 lab 2 config: # uname -a FreeBSD lab2 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 13 12:00:56 EST 2006 root@:/usr/src/sys/i386/compile/SMP i386 # cat /etc/sysctl.conf | egrep -v '(^#|^$)' net.inet.ip.fastforwarding=1 # cat /etc/ssh/sshd_config | egrep -v '(^#|^$)' PermitTunnel point-to-point # cat ~/.ssh/authorized_keys2 tunnel="1",command="/root/scripts/netstart tun1" ssh-dss AAAA... # cat /root/scripts/netstart #!/bin/sh ifconfig $1 inet 169.254.253.20 169.254.253.10 netmask 255.255.255.0 && \ route add host1 169.254.253.10 The test c...

...X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # here are the new patched ldap related tokens # entries in your LDAP must have posixAccount & ldapPublicKey objectclass UseLPK yes LpkLdapConf /etc/ldap.conf #LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ #LpkUserDN ou=users,dc...

...^^^^^^^ ~~~ my sshd_config part: ~~~ Match Address 192.168.1.0/24,192.168.2.0/24,192.168.254.0/24,2xx.0.0.0/8,2001:470:xxxx \ ::/64 User jirib PasswordAuthentication no AuthenticationMethods publickey AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u AllowTcpForwarding yes PermitTunnel yes AllowAgentForwarding yes GatewayPorts yes X11Forwarding yes ~~~ -----------------------<%------------------------------- -- You are receiving this mail because: You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2618 Bug ID: 2618 Summary: net-misc/openssh-7.2_p2: Terribly slow Interactive Logon Product: Portable OpenSSH Version: 7.2p2 Hardware: amd64 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd

...ort (including bz#2369) * ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes >4K; bz#2209 * ssh(1): fix out-of-bound read in EscapeChar configuration option parsing; bz#2396 * sshd(8): fix application of PermitTunnel, LoginGraceTime, AuthenticationMethods and StreamLocalBindMask options in Match blocks * ssh(1), sshd(8): improve disconnection message on TCP reset; bz#2257 * ssh(1): remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363 * sshd(8): mak...

...re useful for role accounts, disjoint account namespaces and "user at realm"-style naming policies in certificates. * Additional sshd_config(5) options are now valid inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel * Revised the format of certificate keys. The new format, identified as ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes: - Adding a serial number field. This may be specified by the CA at the time of certificate signing. - Moving the nonce field to...

http://bugzilla.mindrot.org/show_bug.cgi?id=1266 Summary: incompatibility between s/key and keys Autentification Product: Portable OpenSSH Version: 4.4p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: bitbucket at mindrot.org

...-6.1p1-new/sshd_config.0 --- openssh-6.1p1/sshd_config.0 2012-08-29 00:53:04.000000000 +0000 +++ openssh-6.1p1-new/sshd_config.0 2013-01-31 17:21:29.000000000 +0000 @@ -410,7 +410,7 @@ DESCRIPTION PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTunnel, PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, - X11Forwarding and X11UseLocalHost. + X11Forwarding, X11UseLocalHost, and NoPty. MaxAuthTries Specifies the maximum number of authentication attempts per...

...#X11UseLocalhost yes > #PermitTTY yes > PrintMotd no > #PrintLastLog yes > #TCPKeepAlive yes > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #UseDNS no > #PidFile /var/run/sshd.pid > #MaxStartups 10:30:100 > #PermitTunnel no > #ChrootDirectory none > #VersionAddendum none > > # no default banner path > #Banner none > > # Allow client to pass locale environment variables > AcceptEnv LANG LC_* > > # override default of no subsystems > Subsystem sftp /usr/lib/openssh/sftp-server > &g...

...ions are useful for role accounts, disjoint account namespaces and "user at realm"-style naming policies in certificates. * Expose some more sshd_config(5) options inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel * Revised the format of certificate keys. The new format, identified as ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes: - Addition of a serial number field. This may be specified by the CA at the time of certificate signing. - Moving the nonce field to...