Securing an ssh key for remote port forward only

M Rubon rubonmtz at
Mon Aug 3 04:27:24 AEST 2020

In your VPS sshd_config, you can put the following:

Match User myNephew
   MaxSessions 0      # ZERO -- no login sessions allowed
   PermitOpen none      # User can not connect to any listening ports
   PermitListen localhost:12345       # User can listen from this server port
   ClientAliveInterval 300        # Make sure we have heard from the
nephew recently
   PasswordAuthentication no

Some options may depend on the OpenSSH version you are running on your VPS.

On Sat, 1 Aug 2020 at 16:54, Billy Croan <Billy at> wrote:
> I'm giving a nephew his first linux computer, and I want to be able to
> connect to it remotely reliably if he runs into trouble, given the
> potential for travel restrictions in the US.
> I set up an ssh key on this laptop and an account for it on a vps of mine.
> I installed the ssh key on the vps, and am planning to wrap autossh in a
> systemd script.  So that any time the system is booted, it will try to keep
> alive the ssh connection back to my VPS.  And that ssh connection will use
> -R 12345:localhost:22 so that from my vps, I can ssh to his laptop through
> the reverse port forward.
> This will avoid him having to negotiate port forwarding.  And it will be
> dependent on no 3rd party services that could change over time.  As long as
> he "can get on the internet" by clicking around networkmanager, it should
> just connect in the background and stay connected.
> But I don't want that key to be able to do anything else on my VPS.
> (shell/or socks proxy regular port forwards.  I've done similar locked keys
> before for other purposes, but never for a reverse port forward.
> So I looked through some documentation, googled a bit, and found:
> command="echo 'Port forwarding only
> account.'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:8080",permitopen=""
>  ssh-rsa AAAA-blahblahblahb
> I learned that if I follow no-port-forwarding with a permitopen  in
> authorized-keys it creates specific allowed port forwards and all others
> will be denied.  That sounds like what I want.  But it was for
> regular/forward/-L port forwarding.  What I need is a version of permitopen
> for reverse/-R port forwarding.
> I tried permitbind and permitlisten, and those were both nonexistant.  I
> searched for a manpage for authorized_keys and didn't find out, but I did
> find a post on this very mailing list years ago asking for one.  I ran sshd
> through gnu strings and looked for strings adjacent to permitopen that I
> might try, and nada.
> How can I accomplish this?
> (let an ssh key open specific remote port forwards but no local ports
> forwards, and no non-listed remotes)
> I'd rather not run a seperate vm/public ip just for this, or a seperate
> sshd instance in a selinux-limited chroot jail or something crazy like
> that.  I'd really like to solve the key/account lockdown in the authkeys
> file, or sshd config
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list