Problems with Port Forwarding and Password auth

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Thu Jul 13 00:40:27 EST 2000

Andy Hanson <hanson at> writes:

> So, for a long story made short, setting the default value of
> no_port_forwarding_flag=1 fixes my problem for SecureFX. But it seems
> to me that the problem goes deeper in that port forwarding does not
> seem to work under any circumstance for password authentication.  Only
> authentication through public keys seems to allow it.

Yes, that's right.  We have customized OpenSSH 1.2.x for our own use
so that we have more control over port forwarding.  (Users do not have
shell accounts on the tunneling endpoint, so they cannot set up
tunnels on their own.)  While the patch primarily aims at fine-grained
control regarding to which hosts and ports can be tunneled, port
forwarding can be disabled on a per-user base as a side effect (and
not only on a per-RSA-key base, as with standard OpenSSH).

We can donate the patch to the OpenSSH team if there is any interest
(if some legal details with the univeristy administration can be
worked out, that is...)  The patch was developed on Linux, and has yet
to be tested in an IPv6 environment, though.

Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart 
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

More information about the openssh-unix-dev mailing list