Security suggestion concering SSH and port forwarding.

Krister Bergman bell at
Mon Jan 19 20:09:02 EST 2004


sorry if it is the wrong approuch to suggest improvments to OpenSSH,
but here comes my suggestion:

I recently stumbled upon the scponly shell which in it's chroot:ed form is
an ideal solution when you want to share some files with people you trust
more or less.

The problem is, if you use the scponlyc as shell, port forwarding is still
allowed. This can of course be dissallowed in sshd_config, but not only
for certian users and/or groups.

Example scenario:

You're on a privat network, behind a firewall. You're letting port 22 in
to your linux machine. A few trusted people have normal accounts on this
machine allowing them to use -L to forward ports to other machines on the
private network.

Still you want to give other, less trusted people, access to file areas on
the same machine. You want to keep this as secure as possible and wants to
give them accounts allowing them fileaccess to a certain chroot:ed
environment by using the scponlyc shell. You do NOT want these people to
be able to, for example, use port forwarding to access some less secure
W*ndows machines in the private network.

I know a workaround would be to use two different ssh servers with two
different sshd_config files, each allowing only a certain range of users
and one allowing port forwaring, and one not allowing it.

A nicer solution would be if it could be specified in the sshd_config
which users are allowed to use port forwarding.

Please cc: all answers to me, since I'm not a member of this mailing list.

Best Regards

 Krister Bergman

More information about the openssh-unix-dev mailing list