Q: how to restrict access selectively to client initiated local port forward
Peter Stuge
stuge-openssh-unix-dev at cdy.org
Fri Sep 28 03:43:57 EST 2007
On Thu, Sep 27, 2007 at 01:14:32PM -0400, Michael O'Cleirigh wrote:
> The important thing for us is a unique IP per client. We have this
> implemented where each client first authenticates through OpenVPN
> and is assigned a unique IP address.
>
> But some of our users can't get their corporate firewall changed to
> allow the tunnel to be established. So we've come up with a way
> that they can use ssh local port forwarding to accomplish the same
> thing.
Then you should run OpenVPN over TCP on port 22 or whatever you're
using for SSH that can be reached from clients, on another public IP
address and be done.
> However as far as I can tell there is no way in OpenSSH to define
> an access control policy for which connecting users are allowed to
> redirect through which local IP.
Right, because there's no way for OpenSSH to implement it anyway.
> answers the question: can $user redirect through $hostname)
Does the socket API keep track of socket owners?
//Peter
More information about the openssh-unix-dev
mailing list