Q: how to restrict access selectively to client initiated local port forward

Chris Rapier rapier at psc.edu
Fri Sep 28 05:12:36 EST 2007

> Then you should run OpenVPN over TCP on port 22 or whatever you're
> using for SSH that can be reached from clients, on another public IP
> address and be done.

This is likely the correct solution.

>> However as far as I can tell there is no way in OpenSSH to define
>> an access control policy for which connecting users are allowed to
>> redirect through which local IP.
> Right, because there's no way for OpenSSH to implement it anyway.

You are right in that it can't be done in the base OpenSSH code. 
However, I know it can be done with patches to OpenSSH because we 
actually implemented it. We even had it so that one user wouldn't be 
able bogart well known ports. So it can be done. Its just not easy and 
probably not worth the hassle in this instance.

More information about the openssh-unix-dev mailing list