Q: how to restrict access selectively to client initiated local port forward

William Ahern william at 25thandClement.com
Fri Sep 28 03:28:33 EST 2007

On Thu, Sep 27, 2007 at 01:14:32PM -0400, Michael O'Cleirigh wrote:
> However as far as I can tell there is no way in OpenSSH to define an 
> access control policy for which connecting users are allowed to redirect 
> through which local IP.
> i.e. we can't enforce that only user1 can local redirect through 
> which would allow anyone with system access to redirect 
> through
> I've downloaded and locally modified openssh-4.7p1 to include a new 
> module that will allow this decision to be made (reads a custom 
> configuration file that answers the question: can $user redirect through 
> $hostname).  But I can't figure out the exact place to insertit in the 
> OpenSSH source code.
> Could someone point me to the source file and line that is responsible 
> for the server side inialization of a client local forward?

I've long forgotten how I did it, but when I was at Barracuda Networks
I did just this while working on this work:


I forgot why I didn't release the other work. But, I added a feature to
execute a progam which transformed port forward requests on the server side;
if the script exited with non-zero the request was denied. It had the
configuration work and everything.

You can try querying denis at barracuda.com and he might be able to give you
the patch (diff against the vendor tree and the production/development
tree), or bits of it to get you started. IIRC, it was non-trivial, like the
stream local patch. You can't easily just "drop in" a feature into the
OpenSSH code (i.e. add a function somewhere which plugs-in a complex branch
of logic), because the codebase is rather brittle at this point.

Good luck.

More information about the openssh-unix-dev mailing list