Selectively allowing port forwards
sen_ml at eccosys.com
sen_ml at eccosys.com
Tue Apr 4 14:01:20 EST 2000
i hope what you suggest gets implemented, as i've been wanting similar
functionality for a while now.
however, i was under the impression that Damien felt that new features
should be added to the "upstream" openbsd version first.
please see the following messages for reference:
Message-Id: <19991218114559I.1000 at eccosys.com>
Message-Id: <Pine.LNX.4.10.9912212131240.1077-100000 at mothra.mindrot.org>
Message-Id: <20000303172656J.1000 at eccosys.com>
Message-ID: <Pine.LNX.4.10.10003050926090.662-100000 at mothra.mindrot.org>
i'd send you links, but i haven't been able to find all of the
relevant messages at the archive that i know about -- here's one that
i did find though:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=94577271606092&w=2
p.s. does anyone know of a different archive for the list?
marc> Given the following situation: A client C uses S as a POP3 server. We
marc> want to poll E-Mail via POP3 from S to A via an ssh tunnel without
marc> being asked for a password. Thus, we create a passphrase-less key pair
marc> on A, transmit the public key to S and insert it into
marc> ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
marc> the connection open while the poll is doing through via a forwarded
marc> port.
marc> That way, one taking posession of the private key can "only" use S for
marc> arbitrary port forwards and do not have shell access to S.
marc> I feel it would be desireable to restrict a key to "only do port
marc> forwards to localhost:110". Would it be possible to have something
marc> like that implemented in a future release?
More information about the openssh-unix-dev
mailing list