implementing port forward restrictions

Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE
Fri Nov 24 23:32:58 EST 2000


michael salmon <ms at speakeasy.org> writes:

> right now im implementing a quick hack to restrict ports the server
> will allow to be forwarded.

We've already done that.  At the moment, I'm porting our modifications
to the current (portable) OpenSSH version.  After that, it will be
released to the general public.

You can have the old version (based on 1.2.3), if you want to.

Here's a manpage excerpt:

CONFIGURATION FILE

...

     ForwardingControl
             Specifies the global forwarding control file (default
             /etc/sshd_forward). See the PORT-FORWARDING FILE FORMAT section
             for details.  This option can be used to restrict port forwarding
             to specific hosts and ports.  It is safe only if the remote user
             is not able to gain interactive access on the server machine and
             to execute arbitrary commands.  The file is not processed if a
             user-specific or RSA-key-specific forwarding control file is pre-
             sent.

...

AUTHORIZED_KEYS FILE FORMAT

...

     port-forwarding-file="FILE"
             Specifies a file which controls port forwarding. The quotes are
             optional.  If the file name does not start with a slash `/', it
             is assumed that the file is located in the directory $HOME/.ssh.
             See the PORT-FORWARDING FILE FORMAT section for details.  This
             option can be used to restrict port forwarding to specific hosts
             and ports.  It is safe only if the remote user is not able to
             gain interactive access on the server machine and to execute ar-
             bitrary commands.

...

PORT-FORWARDING FILE FORMAT
     The file controlling port forwarding is read each time a port forwarding
     request is received from the client and is processed line by line.  Lines
     starting with `#' and empty lines are ignored as comments.  Each line
     which is not a comment consists of two parts, separated by a colon `:', a
     host list and a port list.

     Host list  This part lists several host names or IP addresses, seperated
                by spaces, and optionally prefixed by an exclamation mark `!',
                after which whitespace may follow.  An entry without a leading
                `!' is called postive, if a `!' prefix character is present,
                the entry is called negative.

                A host is said to match an entry in the host list if one or
                more of the following conditions are met (a leading `!' is ig-
                nored):

                o   The entry specifies the IP address (either in IPv4/dot or
                    IPv6/colon notation) of that host.

                o   The entry is a shell pattern which matches the IP address
                    of that host (in IPv4/dot or IPv6/colon notation, respec-
                    tively).

                o   (This condition applies only to IPv4 hosts.) The entry is
                    an IPv4 address, given in dotted-quad style, followed by a
                    slash `/' and decimal number specifying the number of set
                    bits in the netmask; and that host lies within this net-
                    work.

                o   The entry is a host name, and one of the corresponding IP
                    addresses matches that of the the given host.

                A host matches the entire host list if and only if at least
                one entry matches, and the last (or rightmost) matching entry
                is positive.

     Port list  This part lists one several TCP ports or port ranges.  A deci-
                mal number from 1 to 65535 specifies a TCP port, two decimal
                numbers in this range, the first one less than the second one,
                and both separated by `-', specify a TCP port range.  Each en-
                try can be prefixed with an exclamation mark `!', after which
                whitespace may follow.  Again, a given port is said to match
                the port list if it is contained in the list or lies within a
                specified port range.  The match is called positive if the
                last (or rightmost) matching entry is not prefixed with a `!',
                otherwise, the match is called negative.

     To determine whether a port forwarding request to a given host and port
     is legal, each non-comment line is processed as follows: If (and only if)
     the host list matches positively, the port list is examined, and if the
     port list matches positively or negatively, this fact is remembered.  A
     port forwarding request is granted if the last remember port list match
     was a positive one, the request is denied if the last match was negative
     or there was not any match at all.

   Examples
     The following port-forwarding file permits forwarding to host somehost on
     port 80, and to any host in the 192.168.2.0/24 class C net, but not to
     192.168.2.1; port forwarding for these hosts is restricted to unprivi-
     leged TCP ports, excluding port 2049.  In addition, forwarding is denied
     for port 27456 on host 129.168.2.2.

     somehost : 80
     192.168.2.0/24 !192.168.2.1 : 1024-65536 !2049
     192.168.2.2 : !27456

...

     $HOME/.ssh/forward
             If this file exists, port forwarding control requests are matched
             against its contents (see section PORT-FORWARDING FILE FORMAT
             above for a description of the file format).  In the
             $HOME/.ssh/authorized_keys file, an alternative file name can be
             specified on a per-key basis.

     /etc/sshd_forward
             Like $HOME/.ssh/forward, this file is used to control port for-
             warding.  A forwarding request is matched against this file if it
             is present, and no user-specific or RSA-key-specific forwarding
             control file is given.

-- 
Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898





More information about the openssh-unix-dev mailing list