...making Linux just a little more fun!
Kapil Hari Paranjape [kapil at imsc.res.in]
Dear TAG-ers,
I am enclosing a qeury received regarding #144.
Regards,
Kapil.
P.S. (to aditya) please do not mail TAG members directly. Use the mailing list address as above instead.
----- Forwarded message from Aditya Bhiday <aditya.bhiday@gmail.com> -----
Date: Sat, 21 Feb 2009 11:18:15 +0530 Subject: Regarding Proxy Tunneling (TLDP) From: Aditya Bhiday <aditya.bhiday@gmail.com> To: kapil@imsc.res.inHi,
I came across a post at http://tldp.org/LDP/LGNET/144/misc/lg/qu[...]om_being_used_as_a_socks_proxy.htmlwhich said that
"AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is "yes". Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders."
I was just experimenting around with tunneling and as to how to block it. Please could explain to me how one can install their own forwarders if ssh tunneling is blocked, or the name of such a forwarding software?
Thanks,
Regards, Aditya Bhiday
----- End forwarded message -----
Aditya Bhiday [aditya.bhiday at gmail.com]
--===============0029746662== Content-Type: multipart/alternative; boundary=000e0cd14ed8bdbef60463679b63
--000e0cd14ed8bdbef60463679b63 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Oh, I'm sorry. I'm new to mailing lists. I'll keep that in mind.
However when I send a message to mailing list I am not a part of, do I receive the replies to my messages in my Inbox?
Regards, Aditya
On Sat, Feb 21, 2009 at 11:31 AM, Kapil Hari Paranjape <kapil@imsc.res.in>wrote:
> Dear TAG-ers, > > I am enclosing a qeury received regarding #144. > > Regards, > > Kapil. > > P.S. (to aditya) please do not mail TAG members directly. Use the > mailing list address as above instead. > > ----- Forwarded message from Aditya Bhiday <aditya.bhiday@gmail.com> ----- > > Date: Sat, 21 Feb 2009 11:18:15 +0530 > Subject: Regarding Proxy Tunneling (TLDP) > From: Aditya Bhiday <aditya.bhiday@gmail.com> > To: kapil@imsc.res.in > > Hi, > > I came across a post at > > http://tldp.org/LDP/LGNET/144/misc/lg/qu[...]om_being_used_as_a_socks_proxy.htmlwhich > said that > > "AllowTcpForwarding Specifies whether TCP forwarding is permitted. The > default is "yes". Note that disabling TCP forwarding does not improve > security unless users are also denied shell access, as they can always > install their own forwarders." > > I was just experimenting around with tunneling and as to how to block it. > Please could explain to me how one can install their own forwarders if ssh > tunneling is blocked, or the name of such a forwarding software? > > Thanks, > > Regards, > Aditya Bhiday > > ----- End forwarded message ----- >
--000e0cd14ed8bdbef60463679b63 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Oh, I'm sorry. I'm new to mailing lists.<br>I'll keep that in m=
ind.<br><br>However when I send a message to mailing list I am not a part o=
f, do I receive the replies to my messages in my Inbox?<br><br>Regards,<br>
Aditya <br><br><div class=3D"gmail_quote">On Sat, Feb 21, 2009 at 11:31 AM,=
Kapil Hari Paranjape <span dir=3D"ltr"><<a href=3D"mailto:kapil@imsc.re=
s.in">kapil@imsc.res.in</a>></span> wrote
br><blockquote class=3D"gmail=
_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt=
0pt 0.8ex; padding-left: 1ex;">
Dear TAG-ers,<br>
<br>
I am enclosing a qeury received regarding #144.<br>
<br>
Regards,<br>
<br>
Kapil.<br>
<br>
P.S. (to aditya) please do not mail TAG members directly. Use the<br>
mailing list address as above instead.<br>
<br>
----- Forwarded message from Aditya Bhiday <<a href=3D"mailto:aditya.bhi=
day@gmail.com">aditya.bhiday@gmail.com</a>> -----<br>
<br>
Date: Sat, 21 Feb 2009 11:18:15 +0530<br> Subject: Regarding Proxy Tunneling (TLDP)<br> From: Aditya Bhiday <<a href=3D"mailto:aditya.bhiday@gmail.com">aditya.b=hiday@gmail.com</a>><br>
To: <a href=3D"mailto:kapil@imsc.res.in">kapil@imsc.res.in</a><br><br> Hi,<br> <br> I came across a post at<br> <a href=3D"http://tldp.org/LDP/LGNET/144/misc/lg/question_on_how_to_block_a= _ssh_host_from_being_used_as_a_socks_proxy.htmlwhich" target=3D"_blank">htt= p://tldp.org/LDP/LGNET/144/misc/lg/question_on_how_to_block_a_ssh_host_from= _being_used_as_a_socks_proxy.htmlwhich</a><br>
said that<br> <br> "AllowTcpForwarding Specifies whether TCP forwarding is permitted. The= <br> default is "yes". Note that disabling TCP forwarding does not imp= rove<br> security unless users are also denied shell access, as they can always<br> install their own forwarders."<br> <br> I was just experimenting around with tunneling and as to how to block it.<b= r> Please could explain to me how one can install their own forwarders if ssh<= br> tunneling is blocked, or the name of such a forwarding software?<br> <br> Thanks,<br> <br> Regards,<br> Aditya Bhiday<br> <br> ----- End forwarded message -----<br> </blockquote></div><br>
--000e0cd14ed8bdbef60463679b63--
--===============0029746662== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
--===============0029746662==--
Rick Moen [rick at linuxmafia.com]
Quoting Aditya Bhiday (aditya.bhiday@gmail.com):
> Oh, I'm sorry. I'm new to mailing lists. > I'll keep that in mind. > > However when I send a message to mailing list I am not a part of, do I > receive the replies to my messages in my Inbox?
Not automatically. However: (1) TAG mailing list members make a point of CCing querents under the assumption that they are not subscribed, specifically so that you do get copies, and (2) you or anyone else are of course very welcome to join the TAG mailing list. (See URL at bottom.) You might merely find following the discussions to be interesting, and eventually might wish to participate. That's how we get new members of The Answer Gang! ;->
-- Cheers, "Please return all dogmas to their orthodox positions." Rick Moen -- Brad Johnson, in r.a.sf.w.r-j rick@linuxmafia.com
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Sat, 21 Feb 2009 Aditya Bhiday wrote:
> I was just experimenting around with tunneling and as to how to block it. > Please could explain to me how one can install their own forwarders if ssh > tunneling is blocked, or the name of such a forwarding software?
IF: - shell account access is enabled and - the user of that shell account can install programs and - run these programs then forwarding is possible.
For example, the user can install "slirp" which takes a tty and converts it into a ppp server. The user can then attach a pppd process to the other end of the tty.
Kapil. --
Aditya Bhiday [aditya.bhiday at gmail.com]
--===============0534330190== Content-Type: multipart/alternative; boundary=000e0cd2423281099b046367afbf
--000e0cd2423281099b046367afbf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On Sat, Feb 21, 2009 at 11:39 AM, Kapil Hari Paranjape <kapil@imsc.res.in>wrote:
> Hello, > > On Sat, 21 Feb 2009 Aditya Bhiday wrote: > > I was just experimenting around with tunneling and as to how to block it. > > Please could explain to me how one can install their own forwarders if > ssh > > tunneling is blocked, or the name of such a forwarding software? > > IF: > - shell account access is enabled > and > - the user of that shell account can install programs > and > - run these programs > then forwarding is possible. > > For example, the user can install "slirp" which takes a tty and > converts it into a ppp server. The user can then attach a pppd > process to the other end of the tty. > > Kapil. > -- > > Yes, but if it an ordinary user, with no administrative powers, then justdisabling the TCP forwarding in the ssh daemon config should block all tunneling right?
Regards, Aditya
--000e0cd2423281099b046367afbf Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">On Sat, Feb 21, 2009 at 11:39 AM, Kapil Hari Par=
anjape <span dir=3D"ltr"><<a href=3D"mailto:kapil@imsc.res.in">kapil@ims=
c.res.in</a>></span> wrotebr><blockquote class=3D"gmail_quote" style=
=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; p=
adding-left: 1ex;">
Hello,<br>
<div class=3D"Ih2E3d"><br>
On Sat, 21 Feb 2009 Aditya Bhiday wrotebr>
> I was just experimenting around with tunneling and as to how to block =
it.<br>
> Please could explain to me how one can install their own forwarders if=
ssh<br>
> tunneling is blocked, or the name of such a forwarding software?<br>
<br>
</div>IFbr>
- shell account access is enabled<br>
and<br>
- the user of that shell account can install programs<br>
and<br>
- run these programs<br>
then forwarding is possible.<br>
<br>
For example, the user can install "slirp" which takes a tty and<b=
r>
converts it into a ppp server. The user can then attach a pppd<br>
process to the other end of the tty.<br>
<br>
Kapil.<br>
<font color=3D"#888888">--<br>
<br>
</font></blockquote></div>Yes, but if it an ordinary user, with no administ=
rative powers, then just disabling the TCP forwarding in the ssh daemon con=
fig should block all tunneling right?<br><br>Regards,<br>Aditya<br>
--000e0cd2423281099b046367afbf--
--===============0534330190== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
--===============0534330190==--
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Sat, 21 Feb 2009, Aditya Bhiday wrote:
> On Sat, Feb 21, 2009 at 11:39 AM, Kapil Hari Paranjape <kapil@imsc.res.in>wrote: > > For example, the user can install "slirp" which takes a tty and > > converts it into a ppp server. The user can then attach a pppd > > process to the other end of the tty.
> Yes, but if it an ordinary user, with no administrative powers, then just > disabling the TCP forwarding in the ssh daemon config should block all > tunneling right?
An "ordinary" user with a shell account can generally download a program to their home directory and run it. So I don't understand your remark.
Kapil. --