Restrict a client port-forward to 1 port

Peter Stuge peter at stuge.se
Sun Aug 16 08:15:54 EST 2009


Hi Adriana,

Adriana Rodean wrote:
> If ssh can't i'm thinking maybe Linux can...
> I mean restrict only client X (which is behind a certain ip
> address) to listen to port 1037 on the server.

No, if this is going to happen it has to happen in the SSH server.

OpenSSH can do this if each client has their own private SSH key, and
are using it for authentication.

As was suggested you would then disable all other authentication
methods than publickey in sshd, disallow generic port forwarding, and
include a permitopen directive for each client public key in
~/.ssh/authorized_keys

If you wish for it to function differently, keep in mind that one
really wonderful property of open source software such as OpenSSH
(and Linux) is that you yourself, or a contractor, can implement the
functionality you desire, exactly the way you like it. Of course it
is appreciated if any changes are made in agreement with developers,
and contributed back (posted to this mailing list) once finished.


//Peter


More information about the openssh-unix-dev mailing list