Security suggestion concering SSH and port forwarding.

Krister Bergman bell at
Mon Jan 19 21:09:51 EST 2004

I'm not currently using public keys but I will try that alternative.


On Mon, 19 Jan 2004, Darren Tucker wrote:

> Krister Bergman wrote:
> > sorry if it is the wrong approuch to suggest improvments to OpenSSH,
> > but here comes my suggestion:
> >
> > I recently stumbled upon the scponly shell which in it's chroot:ed form is
> > an ideal solution when you want to share some files with people you trust
> > more or less.
> >
> > The problem is, if you use the scponlyc as shell, port forwarding is still
> > allowed. This can of course be dissallowed in sshd_config, but not only
> > for certian users and/or groups.
> If you're using public-key authentication you can use the
> no-port-forwarding flag on the key:
> $ man sshd
> [snip]
>    no-port-forwarding
>       Forbids TCP/IP forwarding when this key is used for authentica-
>       tion.  Any port forward requests by the client will return an
>       error.  This might be used, e.g., in connection with the command
>       option.
> --
> Darren Tucker (dtucker at
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

More information about the openssh-unix-dev mailing list