implementing port forward restrictions

michael salmon ms at speakeasy.org
Fri Nov 24 07:50:40 EST 2000


My original need is to have it only for -L but -R could be done also, just in 
a different manner.  I noticed in the mail archives the reference to keynote 
and did take a look at it. For my first pass I'll just do it without it, then 
later read rfc 2704 and see about implementing it that way.

-ms-

(this list-serv is reaaaaallllllyyy sllooowwww)

On Thursday 23 November 2000 12:47, Markus Friedl wrote:
> for -R or -L style forwarding?
>
> these kind of policy configurations should be implmented
> with keynote (see rfc2704).
>
> -markus
>
> On Wed, Nov 22, 2000 at 02:14:52PM -0800, michael salmon wrote:
> > hi folks,
> > right now im implementing a quick hack to restrict ports the server will
> > allow to be forwarded. This is to heighten security from clients
> > accessing a server behind a firewall and as far as I could tell this is
> > not possible with ssh so far.
> > I think this is a reasonable feature for a release and shouldnt be too
> > hard to implement in a way that follows the setup already used in the
> > config and sshd handling of connections. I searched the mailing-list
> > archives and found a few small references to it but none implied it was
> > being worked on. When I finish this if the list wants the diffs I'd be
> > happy to supply them. I'd like the opinion of the other developers as to
> > a key in the sshd_config that would be obvious yet not too long to define
> > the ports, and the layout. I was thinking
> > HostAllowsPortsForwarded 143 2401 etc... space delimited numbers.
> >
> > cheers,
> > michael salmon





More information about the openssh-unix-dev mailing list