limiting port forwarding? (do better than just 'on' or 'off'?)

Damien Miller djm at
Tue Dec 21 21:37:48 EST 1999

Hash: SHA1

On Sat, 18 Dec 1999 sen_ml at wrote:

> hello-
>   i would like to be able to have users access a specific set of
> ports (and no others) on a machine running an ssh daemon via ssh's
> port-forwarding.
>   i was thinking of doing this by not providing shell access (so
> using an appropriate command="command" option in each user's
> authorized_keys file), but i did not find an appropriate keyword
> for the sshd configuration file to control which ports should be
> permitted to be forwarded. i know about the AllowTcpForwarding
> keyword, but it does not appear to allow the granularity of control
> i would like, to put it mildly ;-)

I was thinking of doing something along these lines. The mechanism
I had in mind was a /etc/ssh/portforward file (suggestions for a
better name welcomed) containing the following fields:

username     group       remote_addr       remote_port

username could be a name, uid or an asterisk meaning "any"

group could be a name, gid or an asterisk meaning "any"

remote_addr could be a hostname, ip address or network in CIDR format

remote_port could be a service name, port, port range (numbers with a
hyphen between them) or an asterisk.

That which is not implicitly allowed would be denied. We could ship a
default file of "* * * *" for backwards compatibility.


Damien Miller

- --
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller -
| Email: djm at (home) -or- djm at (work)

Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see


More information about the openssh-unix-dev mailing list