PCI DSS 4.0 – Are SSH tunnels and gateways doomed?
I won't lie, I am not a security expert and I am likely one of them guys in them companies whom working life proficiency is to slowly become little annoying. I work for a company complying with PCI DSS standard and the company slowly starts rolling changes for the compliance with PCI DSS 4.0 standard.
As a sysadmin, it looks like one of the first victims to fall are going to be our Linux jump servers. Originally, there was some talk that it is just due to a new requirement for an MFA on said systems, but that is doable just fine. It would be a bit annoying just compared to everything magically working thanks to SSH key authentication, but with built-in caching I believe it might only require doing so two-three times a day, which is an inconvenience which I believe all of us could live with. The issue is that then another talk about SSH tunnels emerged and here's where I hoped someone from the community who lives and breaths PCI DSS compliance might shed more light on this "requirement" as I have a feeling something might have been lost in the translation and maybe this is not a correct information.
Does PCI DSS 4.0 compliance prohibit any existence of SSH jumps and SSH tunnels respectively, given any such server would implement MFA for SSH?
