limiting port forwarding? (do better than just 'on' or 'off'?)

[Damien Miller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 18 Dec 1999 sen_ml at eccosys.com wrote:

> hello-
> 
>   i would like to be able to have users access a specific set of
> ports (and no others) on a machine running an ssh daemon via ssh's
> port-forwarding.
>
>   i was thinking of doing this by not providing shell access (so
> using an appropriate command="command" option in each user's
> authorized_keys file), but i did not find an appropriate keyword
> for the sshd configuration file to control which ports should be
> permitted to be forwarded. i know about the AllowTcpForwarding
> keyword, but it does not appear to allow the granularity of control
> i would like, to put it mildly ;-)

I was thinking of doing something along these lines. The mechanism
I had in mind was a /etc/ssh/portforward file (suggestions for a
better name welcomed) containing the following fields:

username     group       remote_addr       remote_port

username could be a name, uid or an asterisk meaning "any"

group could be a name, gid or an asterisk meaning "any"

remote_addr could be a hostname, ip address or network in CIDR format

remote_port could be a service name, port, port range (numbers with a
hyphen between them) or an asterisk.

That which is not implicitly allowed would be denied. We could ship a
default file of "* * * *" for backwards compatibility.

Thoughts?

Regards,
Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4X1iDormJ9RG1dI8RAku1AJ9oWM0Vtxs193dQ0z5AstEpgQWOkACdEbcF
S8vwv+jrZOupHEun8Psfatw=
=Q1GP
-----END PGP SIGNATURE-----