Restricting port forwarding on remote server
Dale Worley
dale.worley at oracle.com
Wed Jan 3 01:39:41 AEDT 2018
> From: Juanito <juam at posteo.net>
>
> If I create a tunnel like this from the client side,
>
> ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o
IdentitiesOnly=yes -o UserKnownHostsFile=$known_hosts_file -i
/etc/sshquare/id_rsa -R $port:localhost:22 $user@$host
>
> would it be possible on the server side to restrict $port to say 10000
> and deny it on all other ports. In a way that $user is only allowed to
> forward a local port and bind it to 0.0.0.0:10000 but nowhere else.
>
> I have created a Host entry on the server side that allows GatewayPorts,
> because I actually want to listen on the public interface and have tried
> to use a PermitOpen 10000 but as far as I have understood, this is
> actually for -L forwarding and not the -R I am looking for.
I'm not sure exactly what you're asking. The -R argument to ssh causes
the remote sshd to forward one port back to localhost:22. What that
port is depends on the value of the -R argument, which in your case is
constructed using $port. But you haven't told us the value of $port in
this shell when this command is executed.
Remember: The shell substitutes in the values of all the variables to
create the effective command line, which contains no variable
references. Then it runs ssh, giving it the argument values that are in
the effective command line. ssh does *not* see any variables.
Dale
More information about the openssh-unix-dev
mailing list