mediumaccess-controlverified ✓rollback-safe
Disable SSH forwarding
ssh-disable-forwarding · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must disable all forwarding capabilities including X11, TCP, StreamLocal, and tunnel forwarding. The DisableForwarding directive provides a single control that supersedes individual forwarding settings, preventing any use of the SSH connection as a network proxy.
Rationale
SSH forwarding allows authenticated users to tunnel arbitrary network traffic through the encrypted connection, bypassing firewalls and network segmentation controls. An attacker with valid SSH credentials could use forwarding to pivot into restricted network segments, exfiltrate data through encrypted tunnels, or relay attacks through the compromised host.
Check → Remediate
Checksshd_effective_config
- key:
- disableforwarding
- expected:
- yes
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- DisableForwarding
- value:
- yes
- separator:
- reload:
- sshd
Framework references
CIS
rhel10 5.1.8rhel8 5.1.10rhel9 5.1.10
NIST 800-53
CM-6CM-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#forwarding#x11#tcp-forwarding