Selectively allowing port forwards

Marc Haber at
Tue Apr 4 03:39:31 EST 2000


The current version of sshd allows to restrict keys to issue only
specific commands. However, port forwarding can only be forbidden

Given the following situation: A client C uses S as a POP3 server. We
want to poll E-Mail via POP3 from S to A via an ssh tunnel without
being asked for a password. Thus, we create a passphrase-less key pair
on A, transmit the public key to S and insert it into
~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
the connection open while the poll is doing through via a forwarded

That way, one taking posession of the private key can "only" use S for
arbitrary port forwards and do not have shell access to S.

I feel it would be desireable to restrict a key to "only do port
forwards to localhost:110". Would it be possible to have something
like that implemented in a future release?


-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

More information about the openssh-unix-dev mailing list