External port forwarding control mechanism

Frank Mohr f_mohr at yahoo.de
Wed Feb 1 20:06:08 EST 2006


RR_ITCSEC wrote:
> Hi,
> 
> I'm looking for the best way to include an external decision mechanism into 
> OpenSSH, which allows it to restrict port forwarding only to destination 
> ports  which are defined in a special external control file for the 
> authenticated session. The authenticated ssh user should only be allowed to 
> connect to this dedicated port to tunnel a VNC session through ssh. So the 
> server side has to decide if the received client data in the ssh channel 
> could be forwarded or not.
> Does there already exist a solution for the current OpenSSH version?
> 
> Last year I read in a mailing list, that such behavior was included in 
> earlier versions of OpenSSH.

you can add permitopen= to the keys:

permitopen="host:port"
   Limit local ``ssh -L'' port forwarding such that it may only con-
   nect to the specified host and port.  IPv6 addresses can be spec-
   ified with an alternative syntax: host/port.  Multiple permitopen
   options may be applied separated by commas.  No pattern matching
   is performed on the specified hostnames, they must be literal
   domains or addresses.

frank

	

	
		
___________________________________________________________ 
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de




More information about the openssh-unix-dev mailing list