Option to disallow SSH port forwarding #950
Comments
|
Forwarded port channels are still recorded, but of course it would still be impossible to decipher the recorded SSH session. I'll rename the ticket in regards to adding an option to prohibit port forwarding |
Eugeny
changed the title
|
I think the port forwarding is necessary until #766 is implemented. Furthermore, openssh supports per-key server-side privileges. In the authorized_keys file, you can add several modifiers in front of each or any key to control permissions. For example command="",permitopen=ip:port etc. or even have a no-port-forwarding option. "permitopen" can be repeated several times if necessary. The best solution would be to implement a subset of these flags in warpgate. https://manpages.debian.org/bookworm/openssh-server/authorized_keys.5.en.html#permitopen=host:port |
Users can bypass SSH session recording.
how?
I have a Linux server A
I installed a Warpgate on machine B
I have my personal PC (Linux or WSL).
Admin configure a target on WARPGATE to access server A
To access server A, I will execute the command
ssh "admin:mytarget@server_b" -p 2222
but I can also use the command:
ssh "admin:mytarget@server_b" -p 2222 -N -L 0.0.0.0:9999:127.0.0.1:22
In this case, I set up a tunnel from my PC port 9999 to the SSH server of server A, then I just need to run the command
ssh userx@127.0.0.1 -p 9999 to connect directly to server A.
In this case, warpgate is no longer able to record the content of the session between my PC and server A
Certainly, you need to know the password of the user userx, but it's a risk.
To avoid this, would it be possible to forbid port forwarding (and everything associated with it) on warpgate?
Thank you.
The text was updated successfully, but these errors were encountered: