Thanks. The "permitopen" option works really well on the sshd. The only way I seem to be able to get around the loopback restriction is by running the ssh client on an intermediate machine. The "AllowLoopback" registry setting changes nothing.
- Chuck Renner -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Ossmann Sent: Wednesday, January 16, 2002 3:26 PM To: [EMAIL PROTECTED] Subject: Re: Providing (Windows) VNC support to clients that have strict corporate firewalls On Wed, Jan 16, 2002 at 02:40:16PM -0500, Chuck Renner wrote: > > Since VNCviewer states, "Internal loopback connections are not allowed", the > implication is that there is a setting that WILL allow them, either in the > source, or in the GUI settings. Is this the case? I wasn't expecting this. I have no idea why loopback connections wouldn't be allowed, and I suspect a source code change would be required to change it. Anyone? > 2. Opening the SSH connection from the client to the SSHD your Linux > firewall is effectively like creating a VPN connection from the client to > your network. This opens a huge security hole in your network, and gives > someone on the client's network the ability to snoop around your network > when the connection is made. One of the advantages of using public key authentication is that OpenSSH can limit port forwarding to particular host:port combinations specified by the permitonly option in the authorized_keys file. -- Mike Ossmann, Tarantella/UNIX Engineer/Instructor Alternative Technology, Inc. http://www.alttech.com/ --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
