It is possible to close these SSH holes. You can configure the sshd to
disallow port forwarding and X11 forwarding. Furthermore, you can
disable UNIX password authentication, and permit only RSA public key
authentication, and also disable the interaction with ssh-agent. If you
want maximum paranoia, you can configure sshd to only accept host keys
from known hosts, and then have your remote users all create keys for
their home PC, or whatever, and install these keys on the host that
receives outside SSH logins. Users can exercise paranoia on their own
by creating an authorized_keys file in their $HOME/.ssh directory, which
contains the public keys of remote users who are allowed access to the
account. This will typically contain only the public key of the owner
of the account. It's pretty robust, but not straight out of the box
with the default config files. As with all things security-related, you
must know what you are doing.
> -----Original Message-----
> From: dmcewen @
gov [SMTP:dmcewen @
> Sent: Friday, April 03, 1998 6:53 AM
> To: firewalls @
COM; Roy Stevens
> Subject: Re: SSH Questions
> SSH provides security via encryption, so it makes it much harder to
> snoop your data including userid and password. However, if some one is
> able to comprimise your userid/password, then you have made the
> firewall a joke because it is so easy to tunnel other protocols via
> ssh. I'd suggest that inbound ssh only be done with strong auth such
> as SecurID.
> ______________________________ Reply Separator
> Subject: SSH Questions
> Author: Roy Stevens <tobor @
com> at NOTE
> Date: 4/3/98 9:43 AM
> I have started research into running ssh accross the INTERNET.
> My preliminary research has shown much promiss.
> I would appreciate any feedback on this.
> I am particularly interested in firewall issues, ie proxy or IP
> forwarding problems.
> Thanks for any correspondance.