For discussion of Alpine Linux development and developer support

1

AllowTcpForwarding no (by default)

Ladar Levison
Details
Message ID
<04299073-f21e-45ec-3c95-548b2a16c53d@lavabit.com>
DKIM signature
missing
Download raw message
Just wondering what the motivation behind commit
8d2a4e449d4e15ddcf41ab1aade94a83f6ed4308 ... which updates the default
OpenSSH daemon config with 'AllowTcpForwarding no'. Was there a reason
or specific attack vector the change is meant to mitigate? All I could
find is a vague reference to bad passwords? It seems to me the two
things are unrelated, as the port is still exposed if the machine has a
public IP address. All this does is make it more difficult for an admin
to setup an explicit port forwarding rule. All I could fine was this:

https://git.alpinelinux.org/aports/commit/?id=495bbd7fb1f07c23a1f2d47a071aa5519e08744c

I've been asked to restore the old value, aka 'AllowTcpForwarding yes',
in my virtual machine base boxes, and I don't see an obvious reason to
deny the request, as the new default causes port forwarding to break.
And forwarding an SSH port from a virtual guest, to accessible IP
address seems like a common enough  use case for virtual machines, that
I'm thinking it should.

But before I accept the pull request, and let loose the change across
the internet, I wanted to solicit other opinions?

The pull request in question:

https://github.com/lavabit/robox/pull/66

L~
Details
Message ID
<20190723111010.105ed4b9@ncopa-desktop.copa.dup.pw>
In-Reply-To
<04299073-f21e-45ec-3c95-548b2a16c53d@lavabit.com> (view parent)
DKIM signature
missing
Download raw message
On Tue, 23 Jul 2019 13:57:08 +0530
Ladar Levison <ladar@lavabit.com> wrote:

> Just wondering what the motivation behind commit
> 8d2a4e449d4e15ddcf41ab1aade94a83f6ed4308 ... which updates the default
> OpenSSH daemon config with 'AllowTcpForwarding no'. Was there a reason
> or specific attack vector the change is meant to mitigate? All I could
> find is a vague reference to bad passwords? It seems to me the two
> things are unrelated, as the port is still exposed if the machine has a
> public IP address. All this does is make it more difficult for an admin
> to setup an explicit port forwarding rule. All I could fine was this:
> 
> https://git.alpinelinux.org/aports/commit/?id=495bbd7fb1f07c23a1f2d47a071aa5519e08744c

I don't remember exactly what made me do that change. Someone probably
hinted me about it.

The general thinking here is to try have secure default, features
disabled by default, and let people enable when they need it.

The TCP forwarding is a common way to bypass firewalls. We don't want
make it easy for an attacker who managed to break in - by default.

https://security.stackexchange.com/questions/22782/security-concerns-with-tcp-forwarding

 
> I've been asked to restore the old value, aka 'AllowTcpForwarding yes',
> in my virtual machine base boxes, and I don't see an obvious reason to
> deny the request, as the new default causes port forwarding to break.
> And forwarding an SSH port from a virtual guest, to accessible IP
> address seems like a common enough  use case for virtual machines, that
> I'm thinking it should.
> 
> But before I accept the pull request, and let loose the change across
> the internet, I wanted to solicit other opinions?

If you need the feature, then I think you should enable it. We disabled
it for those who don't use it.

> The pull request in question:
> 
> https://github.com/lavabit/robox/pull/66
> 
> L~
> 
>