Skip to content

SSH lockdown option #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iamvery wants to merge 4 commits into from
Closed

SSH lockdown option #25

iamvery wants to merge 4 commits into from

Conversation

@iamvery
Copy link
Contributor

@iamvery iamvery commented Nov 15, 2013

Hey man, I've been reading up on SSH security and considering the implications of allowing remote connections to one's machine. I was pleasantly surprised to find that you've added the --command option to the gem, but I thought it might be nice to take it a little further and allow you to specify further "lockdown" of these connections, limiting things such as port forwarding.

I admit knowledge of the subject is limited, but hopefully this can kick off a discussion about making things more secure! 😄

@coveralls
Copy link

coveralls commented Nov 15, 2013

Coverage Status

Coverage increased (+0.13%) when pulling d3e3cdb on iamvery:ssh-lockdown into 4befc00 on chrishunt:master.

@chrishunt
Copy link
Owner

chrishunt commented Nov 15, 2013

@iamvery Sweet, thanks for the pr. I'm going to think a bit about this one. Part of me wants to just make this the default behavior since the same options were mentioned in #13 and #8 as well.

It seems like 99.99% of the time people will want this behavior.

What are your thoughts on that?

@iamvery
Copy link
Contributor Author

iamvery commented Nov 15, 2013

Tbh, I don't feel completely confident in providing an opinion on the options themselves. I'm not intimately familiar with these options, so I don't know what all the implications are.

Concerning defaults, I guess it's all about what people are doing with the auth. If the goal of the gem is to just to provide auth via publicly available keys, then it may be a bit presumptuous to limit the functionality of that connection by default.

On the other hand, if security isn't provided by default, it probably won't be used. So perhaps the issue is more about user education?

I'd love to have other weigh in...

iamvery added a commit to iamvery/dotfiles that referenced this pull request Nov 18, 2013
@iamvery
Use my proposed "--lockdown" option for gh-auth
f6f887a 
* This option would disable forwarding for the pair's SSH connection.
* See chrishunt/github-auth#25 for more
  information.
@iamvery iamvery mentioned this pull request Nov 20, 2013
Closed
@iamvery iamvery closed this Jun 16, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iamvery @coveralls @chrishunt