1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it Okay to Change AllowTcpForwarding to "yes" (OpenSSH)

Discussion in 'General Discussion' started by peterallcdn, Jan 7, 2007.

  1. peterallcdn

    peterallcdn New Member

    Joined:
    Feb 4, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello All,

    I was used to managing my databases with standalone software such as Navicat etc. But a couple months ago I subscribed to a hardware firewall for my server which settings cannot be changed. I didn't know it would, but this firewall stopped me from connecting to MySQL with my standalone apps.

    I tried for quite awhile to get SSH tunneling working but failed to do so until today. I ran across some info which instructed changing "AllowTcpForwarding no" to "AllowTcpForwarding yes" in /etc/ssh/sshd_config.

    At least one of my apps can now connect to MySQL using SSH tunneling mode!!! BUT, I'm not very techy when it comes to managing a server so I was hoping if anyone could tell me if there are any real dangers or problems with changing AllTcpForwarding to "yes". I read something about "port bouncing" but do not know how much of a danger it is or if there is a way to prevent it but keep AllTcpForwarding as "yes".

    If what I've done is okay I'd appreciate hearing that. But if there is a better way to ssh tunnel past my firewall my ears are open! :-D

    Thanks!
    Peter
     
  2. chirpy

    chirpy Super Moderator

    Joined:
    Jun 15, 2002
    Messages:
    13,499
    Likes Received:
    14
    Trophy Points:
    38
    Location:
    Go on, have a guess
    AIUI, AllowTcpForwarding is an issue if you don't trust your user base if they have SSH access. Otherwise, it should be OK. The issue I found was the port bouncing that you mentioned, but that only appears to be an issue if you allow anonymous access via SSH (which you most likely don't) or you have untrustworthy users connecting via SSH who can then bounce to normally protected ports.
     
  3. peterallcdn

    peterallcdn New Member

    Joined:
    Feb 4, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    You mean like hosting clients? I'm the only person who has any access to the server. I do web design but it's strictly hands-off for my clients. ;-) So I guess I'm okay on this point.
    Like you said I doubt that anonymous access is allowed but to be sure, how could I find out if it is allowed or not? If it's not allowed then I'm going to be one happy camper because I will be able to continue using SSH tunneling. I've missed using my standalone apps!! :-D

    Thanks for all your help!
    Peter
     

Share This Page