Forwarding Remote Ports.

Robin David Hammond rhammond at databit7.com
Sun Nov 28 13:20:45 EST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I was setting up sshd on a netbsd box to allow cygwin users to auto-ssh
in, and be rsync'ed. I wanted to secure the install such that a
compromised or stolen cygwin client could not be used to attack the sshd
server.

Setting shell to /usr/bin/false and using -N client side were helpful. I
disabled portforwarding for the client sshkey, and enabled some local
port forwarding for my webserver (backupPC has a decent CGI for the tech
literate users). Works great, thanks to all who made that possible!

I wanted to allow the rsync connection to be initiated from a box
attached to the sshd host, this would mean using ssh -R client-side.

With TCPforwarding on in sshd_config the client can forward any remote
(server) port. If, however, TCPforwarding is off in sshd_config even if
I use permitopen in authorized_keys I cannot forward any remote ports.

I was wondering if having remote ports be allowed through permitopen was
a good idea, then concluded that ambiguity between forwarded local and
forwarded remote ports was dangerous. Its not like we NEVER renumber
networks....

I decided to implement this behaviour using a permitremote=HOST:PORT
(unless anyone has a better suggestion) expect a patch when I get a
Round Tuit.

- -- 

                       _
ASCII ribbon campaign ( )	| Robin-David Hammond %KB3IEN
 against HTML e-mail   X	| CCNA
                      / \

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJM8bx9AAoJELbrs44SuiR0r24P/juiwhLEdSvkdXTUoWmDG5Cc
A9V17fcsryyDq68aRyjSwgesaTX2ne2WRF22If30bvaFoXLpU3nMHAmGh9U5sFNi
Bn5Y6b782C7YZCWKOqFwgZimLmns7hsoARe41nmd6G3cJM2eWIapRd1o3mDAp3/N
SuwIAj+zo36XfVA5UQoauGRDmck1m+SpqGFFx7WbZBAYQ4c8hQxNGxa2nZByMhG4
/pVsgKZ1vZ9a1qwITbQMw/A4J3XqS2D0BjbTKAD9pEr70PKBTcVz3SE8MIc3EDtJ
ZthlaZ0QvMW4WFGBeEqhAIlNq1WrIUvrfGzruoG2CvWpIUw58T3FLBjgSdNzY/As
5cfrAbsHyE2BYyNKNMmRIpG/gNFKrTxHnE7G+IPV16cyi1xwBsAok2JnANY1ctP8
gUlr/QeMeL35ySJzy/S/AlKHaXGaaB79PK80X3Oa/KYwxxnpq3QvpUDm1SwufEZx
/d+KMlgOtil1ajEXAVAz1YyocRfSIXzPErn2E2OIwlnWAE4JYQsyS08ElGNr4Q/+
a1hp8Sa9WXoSkHugR1zQkwrqYKjPQaWkwd5hpuXN8eI3wjhQJDYdfc5oaXlXpv7x
eip9BZET/Wf2s76P9eensQFDkoVooocks4RuyBz6sPSS9kjNthTWRiYAeVs8VH42
G2oedhvuaF4D5McbmUp0
=FmHV
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rhammond.vcf
Type: text/x-vcard
Size: 234 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20101128/903eb31a/attachment-0001.vcf>


More information about the openssh-unix-dev mailing list