restricing port forwarding ports server-side

[Vincent Danen]

I'm curious as to whether or not there is a way to restrict forwarded ports
server side.  For instance, I'm running an IRC server and am allowing users
to connect via ssh forwarding (so I can take advantange of using openssh's
public key method for authentication).  Each client I tell to setup their
~/.ssh/config in a certain way, but the relevant line is:

LocalForward 6667 localhost:42000

where port 42000 is what ircd is listening to on the server.  This works
great, but my concern is a user changing this to localhost:3306 to gain
access to MySQL, which is firewalled off.

Reading O'Reilly's book on ssh, I see that F-Secure has a config option
"AllowForwardingPort" to allow a range of ports that can be forwarded, but
no mention of openssh having the same functionality.

Basically, what I'd like to see in my (server-side) authorized_keys file is
something like:

no-pty,command="sleep 20",allowforwardingport="42000" ssh-dss [key]

So that I can restrict what ports can be forwarded on a per-account basis (I
only want this restriction for this one "general" user that everyone uses to
obtain access to the IRC server).

I know the book is a little dated, but has anything like this appeared in
openssh yet?  If not, are there perhaps plans to do something like this?  I
think it could be invaluable.  Or, if there are no plans, does anyone have
any ideas how I could implement something like this?

Thanks very much in advance.

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030314/ca7e7a82/attachment.bin