openssh remote port forwarding and permitopen

Alex Bligh alex at
Sat Oct 1 01:22:04 EST 2011

I have an application where a lot of end user CPE devices ssh in
automatically to a central server, and are authenticated
by public key, to do remote (-R) port forwarding, so we can open
a connection back to a particular port on the remote device whether
it's behind some NAT or firewall or whatever. I want to be certain,
however, that if I open port 12345, it is connected to the correct
end user CPE (i.e. the one that presented the correct key).

Therefore I'd like an forceremoteport option in authorized_keys
so whatever remote port is specified by the client (perhaps
the client just specifies 0), it uses a particular allocated port
and no other. I don't particularly want to do the equivalent of
permitopen, as I'd have to have each client keep up with the
port allocations on the server, which is unnecessary and a pain.
In my scheme the client can do
   ssh -N -R 80:
with forceremoteport=12345, which would mean that
   telnet 12345
on would connect to the CPE"s port 80.

Would you take a patch for this? It would have the advantage
that forceremoteport=0 would effectively disable -R forwarding.

Supplemental question: I'd like to disabled -L port forwarding as
well (whilst leaving -R allowed subject to the above). I can't
immediately see any way to do this except for using permitopen
and a port that has nothing bound to it. Am I missing something?

Alex Bligh

More information about the openssh-unix-dev mailing list