
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
128
|
Chapter 4: Secure Remote Administration
Unfortunately, there really is nothing to be gained by leaving X11Forwarding set to No
in sshd_config, since a determined user can simply use generic TCP forwarding to
forward X11. Even if
AllowTcpForwarding is also set to No, users with shell access can
still forward connections by piping SSH’s standard input/output to other (non-SSH)
forwarding processes.
The risk, of course, with allowing X and other port forwarding is that this functional-
ity gives users the ability to use SSH as a VPN/tunneling tool; for example, if all you
want to do is allow remote users to read their email via pine or copy files to and from
their home directory, you probably don’t want them to also be able to run processes
on the server that are advertised on their client system and forwarded over an SSH
tunnel! Unfortunately, the only sure way to disable port forwarding on an SSH server
is to compile SSH without it.
There are many other parameters that can be set in sshd_config, but understanding
the previous concepts is enough to get started (assuming your immediate need is to
replace Telnet and FTP). See the sshd(8) manpage for a complete reference for these
parameters.
Intermediate and Advanced SSH
Although most users use ssh and scp for simple logins and file transfers, ...