Selectively allowing port forwards

Damien Miller djm at
Tue Apr 4 14:10:25 EST 2000

On Mon, 3 Apr 2000, Marc Haber wrote:

> Hi!
> The current version of sshd allows to restrict keys to issue only
> specific commands. However, port forwarding can only be forbidden
> entirely.
> Given the following situation: A client C uses S as a POP3 server. We
> want to poll E-Mail via POP3 from S to A via an ssh tunnel without
> being asked for a password. Thus, we create a passphrase-less key pair
> on A, transmit the public key to S and insert it into
> ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
> the connection open while the poll is doing through via a forwarded
> port.
> That way, one taking posession of the private key can "only" use S for
> arbitrary port forwards and do not have shell access to S.
> I feel it would be desireable to restrict a key to "only do port
> forwards to localhost:110". Would it be possible to have something
> like that implemented in a future release?

I have been toying with the idea of implementing Keynote[1] policies
as a substitute for authorized_keys. 

Keynote is nice because it solves the delegation problem well, but I 
couldn't figure out a way to cleanly support forced commands and port 
forward restrictions with the current Keynote language.


| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller -
| Email: djm at (home) -or- djm at (work)

More information about the openssh-unix-dev mailing list