Restrict a client port-forward to 1 port

Adriana Rodean adrya1984 at gmail.com
Mon Aug 17 16:29:39 EST 2009


Hi,

Thank you so much all for the suggestions :)))

Same as Peter i believe that this should be a feature of OpenSSH,
restrict not only local port along with a public key, but remote port
also. This will solve my problem. So please if someone can implement
this would be great...

In the meantime i will try handle with Linux suggestions...
Problem with this approach is that all my clients connect to server
with same user. And from your suggestions i see that i can bind a port
to an user to do the restriction.
Is there any other way to do this? Like bind ip of the client with a port?
Right now only way to identify uniquely a client in my server is by
it's public key in authorized_keys, that's why this feature would of
been nice in ssh to be implemented ...

Thank you so much all,
Adriana

On Sun, Aug 16, 2009 at 01:15, Peter Stuge<peter at stuge.se> wrote:
> Hi Adriana,
>
> Adriana Rodean wrote:
>> If ssh can't i'm thinking maybe Linux can...
>> I mean restrict only client X (which is behind a certain ip
>> address) to listen to port 1037 on the server.
>
> No, if this is going to happen it has to happen in the SSH server.
>
> OpenSSH can do this if each client has their own private SSH key, and
> are using it for authentication.
>
> As was suggested you would then disable all other authentication
> methods than publickey in sshd, disallow generic port forwarding, and
> include a permitopen directive for each client public key in
> ~/.ssh/authorized_keys
>
> If you wish for it to function differently, keep in mind that one
> really wonderful property of open source software such as OpenSSH
> (and Linux) is that you yourself, or a contractor, can implement the
> functionality you desire, exactly the way you like it. Of course it
> is appreciated if any changes are made in agreement with developers,
> and contributed back (posted to this mailing list) once finished.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list