noports icon indicating copy to clipboard operation
noports copied to clipboard

Published 20 hours ago verified publisher icon atsign-foundation

Better defaults for sshnpd's --permit-open

Open gkc opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe.

Currently permitOpen defaults to localhost:22,localhost:3389 which is overly restrictive for a typical 'bastion'-like daemon deployment.

Describe the solution you'd like

IF a --permit-open is not specified by the user AND a policy atSign IS specified THEN default permitOpen to ':'

Describe alternatives you've considered

Considered just defaulting to ':' in all cases but that might be overly permissive. In discussion, @cpswan and I felt that this proposed solution has the best balance between considerations of user experience and security.

Additional context

No response

gkc avatar Aug 29 '24 12:08 gkc

If you define a policy server then default open?

cconstab avatar Aug 29 '24 13:08 cconstab

If you define a policy server then default open?

Yes exactly

gkc avatar Aug 29 '24 14:08 gkc

arch comments

  • proposal is good if we want to eliminate administrator hassles, because if they want to permit open a port, they would have to both 1. manually configure permit open on sshnpd and 2. do policy stuff.
  • story behind of being restrictive on sshnpd permit open is to encourage the person using sshnpd to explicitly say what is allowed
  • bastion in corporate environment is setting firewall rules one by one, whch is still the behaviour that will be exercised when using policy manager

JeremyTubongbanua avatar Aug 29 '24 15:08 JeremyTubongbanua

PR in review

gkc avatar Sep 16 '24 12:09 gkc