(no subject)

Craig Ruefenacht openssh at rufey.net
Sat Sep 27 05:49:28 EST 2003


I'm not on the openss-unix-dev mailing list, but I want to ask about a feature
that I've put into my local implementation of OpenSSH the past year or so, and I
wanted to know if it was worthwile to add it to the sources so that I don't have
to add it myself each time I upgrade...

About a year ago I was working for a company that wanted to use OpenSSH as a
server (on a Linux platform) for port forwarding.  We didn't want the users
connecting to the ssh server to be able to run a shell.  All we wanted them to
do was this:

     ssh -N -L <somePort>:localhost:<someOtherPort> foo.bar.com

We only wanted them to port forward to one host, localhost.  We didn't want them
to be able to forward any ports to any other host, like this:

    ssh -N -L <somePort>:someRandomMachine:<someOtherPort> foo.bar.com

While a firewall would block anyone from trying to port forward to *any* host on
the Internet, if you allow port forwarding, the user can port forward to
machines that are on the same network as the ssh server which don't have
personal firewalls installed, et al.

We didn't find anything that would make OpenSSH server behave like this.  So we
edited the code and added a config file option called
"allow_nonlocal_port_forward_destinations" and corresponding code in
serverloop.c in the server_request_direct_tcpip function:

        if (((strcmp(target, "localhost") == 0) &&
            (!options.allow_nonlocal_port_forward_destinations)) ||
            (options.allow_nonlocal_port_forward_destinations)) {
          debug("port forwarding to target %s allowed", target);
          sock = channel_connect_to(target, target_port);
        } else {
          debug("port forwarding to target %s not allowed", target);
          sock = -1;

This code effecitvely allows the OpenSSH server to be configured to only allow
port forwarding if the destination host is the OpenSSH server itself (or, more
technically, whatever "localhost" resolves to on the OpenSSH server).

If anyone on the dev list thinks this is a worthwile option to add to OpenSSH,
please let me know.  I can provide diffs for OpenSSH-3.7.1p1 for servconf.c,
servconf.h, and serverloop.c.  Alternatively, you can simply incorporate the
above code into serverloop.c, and corresponding changes in the servconf.c/h files.  

I'm not sure how this would affect the -D option (dynamic application-level port
forwarding, I've never used it).  

In any case, I'd like to be able to deny all port forwardings except to
"localhost" (maybe even change it so that you can specify a host or list of
hosts to which ports can be forwarded to).

Please let me know what the concensus is.  I realize that this may not be a
high-demand type option, ie not many people would be in a configuration where
the feature would be useful, and bloating software to incorporate every
imaginable function isn't desirable, but I think it could be useful enough to at
least consider inserting it into the code base.

Again, I'm not on the openssh-unix-dev mailing list, so send me a reply to
openssh at rufey.net.

Thanks for your time.

--Craig Ruefenacht

More information about the openssh-unix-dev mailing list