Selectively allowing port forwards
Marc Haber
openssh-unix-dev.mindrot.org at marc-haber.de
Tue Apr 4 03:39:31 EST 2000
Hi!
The current version of sshd allows to restrict keys to issue only
specific commands. However, port forwarding can only be forbidden
entirely.
Given the following situation: A client C uses S as a POP3 server. We
want to poll E-Mail via POP3 from S to A via an ssh tunnel without
being asked for a password. Thus, we create a passphrase-less key pair
on A, transmit the public key to S and insert it into
~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
the connection open while the poll is doing through via a forwarded
port.
That way, one taking posession of the private key can "only" use S for
arbitrary port forwards and do not have shell access to S.
I feel it would be desireable to restrict a key to "only do port
forwards to localhost:110". Would it be possible to have something
like that implemented in a future release?
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
More information about the openssh-unix-dev
mailing list