AllowTcpForwarding Parameter.
AllowTcpForwarding Parameter.
The security folks at my establishment have raised a concern regarding 'AllowTcpForwarding'. They want me to turn this off in my sshd config file. They see this as a breach of rules. Currently i dont have it coded at all meaning it defaults. What are the implications if i change it to NO???
Note: AllowTcpForwarding is never required if you are only using Co:Z SFTP.
If you are using the Co:Z Launcher to a target system then you must have AllowTcpForwarding set to yes on the target server *unless* you specify the Co:Z Launcher option "ssh-tunnel=false". If Co:Z Launcher is using ssh-tunneling (the default, so that data connections back to the job step are encrypted!), then you must allow reverse port forwarding, but it is only required to enable this for the localhost (loopback) adapter. This can be controlled using the "GatewayPorts" option; by default it only allows reverse forwarding from the loopback adapter.
Disabling AllowTcpForwarding seems like it will add security, but most hackers recognize that this is not the case unless the server also completely locks down what programs they are allowed to run. From "man sshd_config":
Using the Co:Z Launcher, the remote forwarding of connections from the target server back into the launching job step allows for the target program (and its processes) to get data connections back into the launching z/OS job step. A randomly generated session key is made available in an environment variables (private to these processes) that is used to authenticate each connection. This would prevent, say, another program on the same target server from connecting to the port doing the forwarding in order to get any services from the Co:Z launcher.
For secure networks, especially hipersockets and zBX IEDN connections, the Co:Z Launcher option "ssh-tunnel=false" can be used to eliminate reverse port forwarding of data connections from the target program to the launching job step, so that the cost of encryption can be avoided if not required.
If you are using the Co:Z Launcher to a target system then you must have AllowTcpForwarding set to yes on the target server *unless* you specify the Co:Z Launcher option "ssh-tunnel=false". If Co:Z Launcher is using ssh-tunneling (the default, so that data connections back to the job step are encrypted!), then you must allow reverse port forwarding, but it is only required to enable this for the localhost (loopback) adapter. This can be controlled using the "GatewayPorts" option; by default it only allows reverse forwarding from the loopback adapter.
Disabling AllowTcpForwarding seems like it will add security, but most hackers recognize that this is not the case unless the server also completely locks down what programs they are allowed to run. From "man sshd_config":
Additional details:AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is
“yes”. Note that disabling TCP forwarding does not improve secu‐
rity unless users are also denied shell access, as they can
always install their own forwarders.
Using the Co:Z Launcher, the remote forwarding of connections from the target server back into the launching job step allows for the target program (and its processes) to get data connections back into the launching z/OS job step. A randomly generated session key is made available in an environment variables (private to these processes) that is used to authenticate each connection. This would prevent, say, another program on the same target server from connecting to the port doing the forwarding in order to get any services from the Co:Z launcher.
For secure networks, especially hipersockets and zBX IEDN connections, the Co:Z Launcher option "ssh-tunnel=false" can be used to eliminate reverse port forwarding of data connections from the target program to the launching job step, so that the cost of encryption can be avoided if not required.