[Bug 2842] New: PermitListen, like PermitOpen but for -R (remote port forwarding)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Mar 22 01:22:34 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2842

            Bug ID: 2842
           Summary: PermitListen, like PermitOpen but for -R (remote port
                    forwarding)
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bolt at dhampir.no

I made a setup where several road warriors (varying IP's) connect to
home base and forward one port each to their local SSH ports, i.e:
"ssh rw1002 at homebase -n -N -R 5002:localhost:22"
"ssh rw1003 at homebase -n -N -R 5003:localhost:22"

I can not find an option to restrict user rw1002 from forwarding port
5003, or for that matter stealing port 1080 or 8080 or whatever else
local services might be configured to use if they're not running at the
time. Several important things use ports >=1024 these days.

PermitOpen restricts destinations for forwarding with -L
I'm missing a similar option for -R

Example:
Match User rw1002
    PermitListen 5002
Match User rw1003
    PermitListen 0.0.0.0:5003
Match User rw1004
    PermitListen localhost:5004

Similarly, having the option to do this in authorized_keys files would,
I think, be awesome.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list