Fwd: Restricting port forwarding on remote server
Juanito
juam at posteo.net
Tue Jan 2 04:12:54 AEDT 2018
Dear OpenSSH-Devs,
I hope this is the correct place to ask this, if not feel free to ignore
it or forward it wherever is better suited. Thank you very much for that!
First of all, thank you for this magnificent piece of software :)
Secondly, I'd like to ask a question, as the Internet and the manuals
don't seem to have the answer. Well, they say it's not possible, but I'd
just like to make sure. So here it goes:
Is it possible to restrict the ports a certain user is able to open on a
remote server?
If I create a tunnel like this from the client side,
ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o
IdentitiesOnly=yes -o UserKnownHostsFile=$known_hosts_file -i
/etc/sshquare/id_rsa -R $port:localhost:22 $user@$host
would it be possible on the server side to restrict $port to say 10000
and deny it on all other ports. In a way that $user is only allowed to
forward a local port and bind it to 0.0.0.0:10000 but nowhere else.
I have created a Host entry on the server side that allows GatewayPorts,
because I actually want to listen on the public interface and have tried
to use a PermitOpen 10000 but as far as I have understood, this is
actually for -L forwarding and not the -R I am looking for.
Is there any way to do this?
Again, thank you very much and a happy New Year to all of you!
Cheers,
Juanito
More information about the openssh-unix-dev
mailing list