Better port forwarding control

Kieran Barry kbarry at snaz.com
Wed Mar 7 07:48:28 EST 2001 

Hi,

I've just joined the list, so please forgive if I missed something in
the FAQ/docs etc.

Overview
I am likely to need to allow someone (untrusted) to forward a port on
one of my boxes
to one of theirs for EDI. It appears to involve only one port, so an
IPSEC-type VPN is
likely to be over the top. I'd like to do this with ssh port
forwarding, but to only
allow a single port to be forwarded. I'd also like to prevent the
remote party forwarding
a local (on their machine) port to random ports on machines in my DMZ.
The target platforms I am aware of are Linux/Solaris boxes. This
raises questions about
coding against the portable vs non-portable code bases.



Since I know less about the codebase than you guys, I'd like some
guidance on the following:

My plan is to provide an account, a dsa key, and a shell which
effectively goes to sleep
for a week, and ask the other party to put this in a loop.

Is there an easier way to do what I want to do, either with ssh or
another tool?

I have a couple of questions on the project
1. Would patches adding this sort of functionality be accepted by the
project if it
followed man 9 style?
2. Which source tree would patches need to work against?
3. I would need to add statements to sshd_config (and the
ServerOptions struct in
serverconf.h). Could someone sanity check the outline spec below to
tell me what
they think?

Spec
Sshd_config changes
Either:
New values for the AllTcpForwarding keyword (valid values now
[no | incoming | outgoing | yes])
incoming would allow a -L type connection
outgoing would allow a -R type connection
yes would allow both

Or
New keywords IncomingPortsAllowed, OutgoingPortsAllowed, (and maybe
IncomingPortsDenied, OutgoingPortsDenied. I would prefer a default
deny stance, but I could be persuaded
otherwise.)

Probably a combination of both is best.

type ServerOptions (from servconf.h) changes:
Add the following to the structure:
  u_int   num_allow_incoming_forwarded_ports;
  char   *allow_incoming_forwarded_ports;
  u_int   num_allow_outgoing_forwarded_ports;
  char   *allow_outgoing_forwarded_ports;

Extra source files:
Add .c and .h files
portaccess
or
incomingportaccess and outgoingportaccess
similar to groupaccess.[ch]

Any other tips would be useful.

Thanks for your time.

Regards

Kieran

More information about the openssh-unix-dev mailing list