Notes about SSH
How to restrict ssh port forwarding, without denying it?
- Source: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it
OpenSSH has a feature for restricting
-L style opens on the server side:
- In the server configuration file there is a
PermitOpenoption. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a
Matchblock, so it can be restricted by user, group, or hostname or IP address pattern.
- In an
authorized_keysfile, options can be associated with a particular key. There is a
permitopenoption which works similarly to the server-config one.
- The option
AllowTcpForwardingdisables all forwarding in both directions, preventing listening ports from being set up on the server, as well as active forwards.
- There is no
PermitOpenaccess control for
-Rstyle connections. This is probably okay. What it means is that the users can use
sshto open various non-privileged ports for listening on the server. Where these connect to on the other side of the SSH connection is the client's problem. If we restrict forwarding in the
-Ldirection, the user has no way of using those
-Rports (at least not through
ssh,if that user is not able to create an arbitrary interactive session).
- There doesn't seem to be a way to create an empty list of permitted opens, to prevent users from making any
-Lstyle connections whatsoever. However, a workaround is to use a harmless, nonexistent or impossible host name, such as the empty string. Concretely,
permitopen=":1234"does the trick.