Tux

...making Linux just a little more fun!

Talkback:144/lg_mail.html

[ In reference to "Mailbag" in LG#144 ]

Kapil Hari Paranjape [kapil at imsc.res.in]


Sat, 21 Feb 2009 11:31:46 +0530

Dear TAG-ers,

I am enclosing a qeury received regarding #144.

Regards,

Kapil.

P.S. (to aditya) please do not mail TAG members directly. Use the mailing list address as above instead.

----- Forwarded message from Aditya Bhiday <aditya.bhiday@gmail.com> -----

Date: Sat, 21 Feb 2009 11:18:15 +0530
Subject: Regarding Proxy Tunneling (TLDP)
From: Aditya Bhiday <aditya.bhiday@gmail.com>
To: kapil@imsc.res.in
Hi,

I came across a post at https://tldp.org/LDP/LGNET/144/misc/lg/qu[...]om_being_used_as_a_socks_proxy.htmlwhich said that

"AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is "yes". Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders."

I was just experimenting around with tunneling and as to how to block it. Please could explain to me how one can install their own forwarders if ssh tunneling is blocked, or the name of such a forwarding software?

Thanks,

Regards, Aditya Bhiday

----- End forwarded message -----


Top    Back


Aditya Bhiday [aditya.bhiday at gmail.com]


Sat, 21 Feb 2009 11:39:12 +0530

Oh, I'm sorry. I'm new to mailing lists. I'll keep that in mind.

However when I send a message to mailing list I am not a part of, do I receive the replies to my messages in my Inbox?

Regards, Aditya


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Sat, 21 Feb 2009 11:39:15 +0530

Hello,

On Sat, 21 Feb 2009 Aditya Bhiday wrote:

> I was just experimenting around with tunneling and as to how to block it.
> Please could explain to me how one can install their own forwarders if ssh
> tunneling is blocked, or the name of such a forwarding software?

IF:

 - shell account access is enabled
and
 - the user of that shell account can install programs
and
 - run these programs
then forwarding is possible.

For example, the user can install "slirp" which takes a tty and converts it into a ppp server. The user can then attach a pppd process to the other end of the tty.

Kapil. --


Top    Back


Aditya Bhiday [aditya.bhiday at gmail.com]


Sat, 21 Feb 2009 11:44:44 +0530

Yes, but if it an ordinary user, with no administrative powers, then just disabling the TCP forwarding in the ssh daemon config should block all tunneling right?

Regards, Aditya

References


Top    Back


Rick Moen [rick at linuxmafia.com]


Sat, 21 Feb 2009 13:14:12 -0800

Quoting Aditya Bhiday (aditya.bhiday@gmail.com):

> Oh, I'm sorry. I'm new to mailing lists.
> I'll keep that in mind.
> 
> However when I send a message to mailing list I am not a part of, do I
> receive the replies to my messages in my Inbox?

Not automatically. However: (1) TAG mailing list members make a point of CCing querents under the assumption that they are not subscribed, specifically so that you do get copies, and (2) you or anyone else are of course very welcome to join the TAG mailing list. (See URL at bottom.) You might merely find following the discussions to be interesting, and eventually might wish to participate. That's how we get new members of The Answer Gang! ;->

-- 
Cheers,            "Please return all dogmas to their orthodox positions."
Rick Moen                                 -- Brad Johnson, in r.a.sf.w.r-j
rick@linuxmafia.com


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Sun, 22 Feb 2009 06:53:32 +0530

Hello,

On Sat, 21 Feb 2009, Aditya Bhiday wrote:

> On Sat, Feb 21, 2009 at 11:39 AM, Kapil Hari Paranjape <kapil@imsc.res.in>wrote:
> > For example, the user can install "slirp" which takes a tty and
> > converts it into a ppp server. The user can then attach a pppd
> > process to the other end of the tty.
> Yes, but if it an ordinary user, with no administrative powers, then just
> disabling the TCP forwarding in the ssh daemon config should block all
> tunneling right?

An "ordinary" user with a shell account can generally download a program to their home directory and run it. So I don't understand your remark.

Kapil. --


Top    Back