Bender7 hours ago
No idea why they would do this, but they did.
Hardening in sshd_config to prevent arbitrary network access behind the firewall where the firewall would otherwise not permit. If one can get around this then the host itself may be missing proper outbound owner-based firewall rules varies by compliance requirements.
nticompassop6 hours ago
I'd understand if there was a firewall rule to prevent me from port forwarding to another machine on the same network, but this is the same machine (localhost).
Bender5 hours ago
That is the hardening I was referring to in sshd [1] itself. I updated my comment to clarify sshd_config. Without specifying permitopen and permitlisten one could for example access a service that for whatever reason does not use proper access and authentication controls such as an old installation of reddis listening on 127.0.0.1:6379. Something else to read up on is PermitTunnel and the global forwarding option of AllowTcpForwarding and AllowStreamLocalForwarding. Beyond that another thing to research is MaxSessions which can be abused by phishers that get a shell on ones laptop and facilitating the unlogged bypass of MFA/2FA.
Another option to read up on is "Match" which can modify options for specific users, groups, networks or ports. For example we can disable port forwarding for Bob and enable port forwarding for Alice.
To further limit what that host can talk to one can use the Netfilter "owner" module to limit outbound connections by user or group. So for example only the LDAP user can talk to the LDAP server.
# sshd -T | grep permit[l-o]
permitopen 10.10.1.1:80
permitlisten 10.10.1.1:80
[1] - https://man7.org/linux/man-pages/man5/sshd_config.5.html