Home / server / Questions / 174419
In Process
David Wolever
Asked: 2010-08-26 07:22:05 +0800 CST

OpenSSH: Control port forwarding?

  • 772

Is it possible to limit port forwarding with OpenSSH? I'd like to let users ssh -R on ports 6000..7000, but I'd like to block ssh -D and ssh -L.

ssh

3 Answers

  1. The configuration directives for sshd_config that you're interested in include:

    AllowTcpForwarding
PermitOpen

    There does not seem to be any granularity in regards to restricting the type of port forwarding allowed.

    However, pay attention to the documentation for the AllowTCPForwarding option:

     AllowTcpForwarding
         Specifies whether TCP forwarding is permitted.  The default is
         ``yes''.  Note that disabling TCP forwarding does not improve
         security unless users are also denied shell access, as they can
         always install their own forwarders.

    The concept being that if your users have shell access, it's trivial for them to setup their own forwarding once they are logged in using a utility such as netcat. This would circumvent any sshd configuration settings.

    • 1

  2. There's also the use of iptables which lets you have fined grained control over the ports that are allowed to be connected and/or forwarded.

    • 1

  3. http://www.manpagez.com/man/8/sshd/ Search for PermitOpen

    I do:

    Match User Blah
    PermitOpen BlahComputer:3389

    • 0