implementing port forward restrictions
Florian Weimer
Florian.Weimer at RUS.Uni-Stuttgart.DE
Fri Nov 24 23:32:58 EST 2000
michael salmon <ms at speakeasy.org> writes:
> right now im implementing a quick hack to restrict ports the server
> will allow to be forwarded.
We've already done that. At the moment, I'm porting our modifications
to the current (portable) OpenSSH version. After that, it will be
released to the general public.
You can have the old version (based on 1.2.3), if you want to.
Here's a manpage excerpt:
CONFIGURATION FILE
...
ForwardingControl
Specifies the global forwarding control file (default
/etc/sshd_forward). See the PORT-FORWARDING FILE FORMAT section
for details. This option can be used to restrict port forwarding
to specific hosts and ports. It is safe only if the remote user
is not able to gain interactive access on the server machine and
to execute arbitrary commands. The file is not processed if a
user-specific or RSA-key-specific forwarding control file is pre-
sent.
...
AUTHORIZED_KEYS FILE FORMAT
...
port-forwarding-file="FILE"
Specifies a file which controls port forwarding. The quotes are
optional. If the file name does not start with a slash `/', it
is assumed that the file is located in the directory $HOME/.ssh.
See the PORT-FORWARDING FILE FORMAT section for details. This
option can be used to restrict port forwarding to specific hosts
and ports. It is safe only if the remote user is not able to
gain interactive access on the server machine and to execute ar-
bitrary commands.
...
PORT-FORWARDING FILE FORMAT
The file controlling port forwarding is read each time a port forwarding
request is received from the client and is processed line by line. Lines
starting with `#' and empty lines are ignored as comments. Each line
which is not a comment consists of two parts, separated by a colon `:', a
host list and a port list.
Host list This part lists several host names or IP addresses, seperated
by spaces, and optionally prefixed by an exclamation mark `!',
after which whitespace may follow. An entry without a leading
`!' is called postive, if a `!' prefix character is present,
the entry is called negative.
A host is said to match an entry in the host list if one or
more of the following conditions are met (a leading `!' is ig-
nored):
o The entry specifies the IP address (either in IPv4/dot or
IPv6/colon notation) of that host.
o The entry is a shell pattern which matches the IP address
of that host (in IPv4/dot or IPv6/colon notation, respec-
tively).
o (This condition applies only to IPv4 hosts.) The entry is
an IPv4 address, given in dotted-quad style, followed by a
slash `/' and decimal number specifying the number of set
bits in the netmask; and that host lies within this net-
work.
o The entry is a host name, and one of the corresponding IP
addresses matches that of the the given host.
A host matches the entire host list if and only if at least
one entry matches, and the last (or rightmost) matching entry
is positive.
Port list This part lists one several TCP ports or port ranges. A deci-
mal number from 1 to 65535 specifies a TCP port, two decimal
numbers in this range, the first one less than the second one,
and both separated by `-', specify a TCP port range. Each en-
try can be prefixed with an exclamation mark `!', after which
whitespace may follow. Again, a given port is said to match
the port list if it is contained in the list or lies within a
specified port range. The match is called positive if the
last (or rightmost) matching entry is not prefixed with a `!',
otherwise, the match is called negative.
To determine whether a port forwarding request to a given host and port
is legal, each non-comment line is processed as follows: If (and only if)
the host list matches positively, the port list is examined, and if the
port list matches positively or negatively, this fact is remembered. A
port forwarding request is granted if the last remember port list match
was a positive one, the request is denied if the last match was negative
or there was not any match at all.
Examples
The following port-forwarding file permits forwarding to host somehost on
port 80, and to any host in the 192.168.2.0/24 class C net, but not to
192.168.2.1; port forwarding for these hosts is restricted to unprivi-
leged TCP ports, excluding port 2049. In addition, forwarding is denied
for port 27456 on host 129.168.2.2.
somehost : 80
192.168.2.0/24 !192.168.2.1 : 1024-65536 !2049
192.168.2.2 : !27456
...
$HOME/.ssh/forward
If this file exists, port forwarding control requests are matched
against its contents (see section PORT-FORWARDING FILE FORMAT
above for a description of the file format). In the
$HOME/.ssh/authorized_keys file, an alternative file name can be
specified on a per-key basis.
/etc/sshd_forward
Like $HOME/.ssh/forward, this file is used to control port for-
warding. A forwarding request is matched against this file if it
is present, and no user-specific or RSA-key-specific forwarding
control file is given.
--
Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
More information about the openssh-unix-dev
mailing list