Security suggestion concering SSH and port forwarding.

Darren Tucker dtucker at zip.com.au
Mon Jan 19 20:54:36 EST 2004


Krister Bergman wrote:
> sorry if it is the wrong approuch to suggest improvments to OpenSSH,
> but here comes my suggestion:
> 
> I recently stumbled upon the scponly shell which in it's chroot:ed form is
> an ideal solution when you want to share some files with people you trust
> more or less.
> 
> The problem is, if you use the scponlyc as shell, port forwarding is still
> allowed. This can of course be dissallowed in sshd_config, but not only
> for certian users and/or groups.

If you're using public-key authentication you can use the 
no-port-forwarding flag on the key:

$ man sshd
AUTHORIZED_KEYS FILE FORMAT
[snip]
   no-port-forwarding
      Forbids TCP/IP forwarding when this key is used for authentica-
      tion.  Any port forward requests by the client will return an
      error.  This might be used, e.g., in connection with the command
      option.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list