Reverse tunnel security settings
James Berry
james at coppermoth.com
Tue Jun 17 18:05:28 EST 2014
I have a number of connections coming in to my host to create a reverse tunnel
from machine 1: ssh -R:19991:192.168.250.251:80 user1 at host.org -N -f
from machine 2: ssh -R:19992:192.168.250.251:80 user2 at host.org -N -f
from machine 3: ssh -R:19993:192.168.250.251:80 user3 at host.org -N -f
You can see that each user has a specific port that they should use.
I would either like to dynamically set the correct port on my host (I
know what they should be), or if I cannot I would like to restrict the
connections so that the users can only open the tunnel on the ports
that I have specified.
I have not found anything in the configuration settings to restrict
the ports that can be selected by an inbound connection. When a
dynamic port (0) is used, this appears to just pick the next available
port.
I have experimentally patched serverloop.c to ignore the user
specified port and used one based on the uid but wonder:
a) Is there a good way to achieve this without patching openssh
b) If the best way is to continue with the patch perhaps we can
discuss options for what the patch should look like as I would prefer
to submit to the project rather than maintain my own branch. I would
suggest either calling out to an external program that returns the
port (this may be considered to be a security problem), or some other
mapping from users to the port (range?) they can choose
More information about the openssh-unix-dev
mailing list