restricing port forwarding ports server-side

Vincent Danen vdanen at
Tue Mar 18 15:57:06 EST 2003

On Sat Mar 15, 2003 at 02:50:27PM +0000, Tony Finch wrote:

> >I'm curious as to whether or not there is a way to restrict forwarded ports
> >server side.  For instance, I'm running an IRC server and am allowing users
> >to connect via ssh forwarding (so I can take advantange of using openssh's
> >public key method for authentication).  Each client I tell to setup their
> >~/.ssh/config in a certain way, but the relevant line is:
> >
> >LocalForward 6667 localhost:42000
> >
> >where port 42000 is what ircd is listening to on the server.  This works
> >great, but my concern is a user changing this to localhost:3306 to gain
> >access to MySQL, which is firewalled off.
> You can do this with my restricted-environment patch using appropriate
> PermitTcpConnect options.

Very nice!  This may be exactly what I'm looking for.  The other options
look pretty useful as well.  Thanks!

MandrakeSoft Security;
Online Security Resource Book;
"lynx -source | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : 

More information about the openssh-unix-dev mailing list