External port forwarding control mechanism
Frank Mohr
f_mohr at yahoo.de
Wed Feb 1 20:06:08 EST 2006
RR_ITCSEC wrote:
> Hi,
>
> I'm looking for the best way to include an external decision mechanism into
> OpenSSH, which allows it to restrict port forwarding only to destination
> ports which are defined in a special external control file for the
> authenticated session. The authenticated ssh user should only be allowed to
> connect to this dedicated port to tunnel a VNC session through ssh. So the
> server side has to decide if the received client data in the ssh channel
> could be forwarded or not.
> Does there already exist a solution for the current OpenSSH version?
>
> Last year I read in a mailing list, that such behavior was included in
> earlier versions of OpenSSH.
you can add permitopen= to the keys:
permitopen="host:port"
Limit local ``ssh -L'' port forwarding such that it may only con-
nect to the specified host and port. IPv6 addresses can be spec-
ified with an alternative syntax: host/port. Multiple permitopen
options may be applied separated by commas. No pattern matching
is performed on the specified hostnames, they must be literal
domains or addresses.
frank
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
More information about the openssh-unix-dev
mailing list