restricing port forwarding ports server-side

Vincent Danen vdanen at mandrakesoft.com
Tue Mar 18 15:57:06 EST 2003


On Sat Mar 15, 2003 at 02:50:27PM +0000, Tony Finch wrote:

> >I'm curious as to whether or not there is a way to restrict forwarded ports
> >server side.  For instance, I'm running an IRC server and am allowing users
> >to connect via ssh forwarding (so I can take advantange of using openssh's
> >public key method for authentication).  Each client I tell to setup their
> >~/.ssh/config in a certain way, but the relevant line is:
> >
> >LocalForward 6667 localhost:42000
> >
> >where port 42000 is what ircd is listening to on the server.  This works
> >great, but my concern is a user changing this to localhost:3306 to gain
> >access to MySQL, which is firewalled off.
> 
> You can do this with my restricted-environment patch using appropriate
> PermitTcpConnect options.
> 
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104387691708672

Very nice!  This may be exactly what I'm looking for.  The other options
look pretty useful as well.  Thanks!

-- 
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030317/fab0993d/attachment.bin 


More information about the openssh-unix-dev mailing list