Q: how to restrict access selectively to client initiated local port forward

Peter Stuge stuge-openssh-unix-dev at cdy.org
Fri Sep 28 03:43:57 EST 2007

On Thu, Sep 27, 2007 at 01:14:32PM -0400, Michael O'Cleirigh wrote:
> The important thing for us is a unique IP per client.  We have this
> implemented where each client first authenticates through OpenVPN
> and is assigned a unique IP address.
> But some of our users can't get their corporate firewall changed to
> allow the tunnel to be established. So we've come up with a way
> that they can use ssh local port forwarding to accomplish the same
> thing.

Then you should run OpenVPN over TCP on port 22 or whatever you're
using for SSH that can be reached from clients, on another public IP
address and be done.

> However as far as I can tell there is no way in OpenSSH to define
> an access control policy for which connecting users are allowed to
> redirect through which local IP.

Right, because there's no way for OpenSSH to implement it anyway.

> answers the question: can $user redirect through $hostname)

Does the socket API keep track of socket owners?


More information about the openssh-unix-dev mailing list