Selectively allowing port forwards

sen_ml at eccosys.com sen_ml at eccosys.com
Tue Apr 4 14:01:20 EST 2000


i hope what you suggest gets implemented, as i've been wanting similar
functionality for a while now.

however, i was under the impression that Damien felt that new features
should be added to the "upstream" openbsd version first.

please see the following messages for reference:

  Message-Id: <19991218114559I.1000 at eccosys.com>
  Message-Id: <Pine.LNX.4.10.9912212131240.1077-100000 at mothra.mindrot.org>
  Message-Id: <20000303172656J.1000 at eccosys.com>
  Message-ID: <Pine.LNX.4.10.10003050926090.662-100000 at mothra.mindrot.org>

i'd send you links, but i haven't been able to find all of the
relevant messages at the archive that i know about -- here's one that
i did find though:

  http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=94577271606092&w=2

p.s. does anyone know of a different archive for the list?

marc> Given the following situation: A client C uses S as a POP3 server. We
marc> want to poll E-Mail via POP3 from S to A via an ssh tunnel without
marc> being asked for a password. Thus, we create a passphrase-less key pair
marc> on A, transmit the public key to S and insert it into
marc> ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
marc> the connection open while the poll is doing through via a forwarded
marc> port.

marc> That way, one taking posession of the private key can "only" use S for
marc> arbitrary port forwards and do not have shell access to S.

marc> I feel it would be desireable to restrict a key to "only do port
marc> forwards to localhost:110". Would it be possible to have something
marc> like that implemented in a future release?





More information about the openssh-unix-dev mailing list