I have created a jumphost/bastion, that will act just as that - a jumphost to certain hosts:ports.
I am aware of that I can limit users/groups with the following:
Match User Alice
PermitOpen some.host.tld:80 another.host.tld:22 third.host.tld:443
And due some requirements, I need to be able to utilize SOCKS-proxies. This is enabled by the following:
PermitTTY yes
PermitTunnel yes
AllowTcpForwarding yes
This works as expected.
However.. How do I ensure that only the application that the client specifically allowed is the only application (such as Firefox) is using the SOCK-proxy and not some random other application on the client? Can I limit the sessions/applications using the connection on the SSH-server?
I did try with "MaxSessions 1", but sadly it does not seems to apply on SOCKS-proxies.
One way of authenticating the usage of the socks5 is to have a reverse proxy with basic auth forwarding traffic to it, but you won't be able to protect it against usage by other users that can see the port in the loopback device locally. The Dynamic Port Forwarding from SSH will trust anyone with access to the machine it's listening on. But maybe, if you manage to have
-Dto listen to a unix domain socket, you might be able to set user+group permissions to the named pipe and have some form of security against non root users. But ssh's user manual don't mention any unix domain socket forwarding for dynamic port forwarding (-D) for socks4/5 usage. I think it's a long shot. You should trust people logged into the machine.There's a solution here: how to forbid connecting to localhost for ssh socks5 proxy