Hi, I've recently run into a situation where it I want clients (or certain keys) to connect to an OpenSSH server and set up a remote port forwarding channel (-R) without allowing them to do anything else. It seems that current OpenSSH doesn't support this. I would like to suggest the following changes to the options for authorized_keys: * add a no-local-forwarding option that denies setup of -L channels * add a no-remote-forwarding option that denies setup of -R channels * make no-tcp-forwarding act like no-local-forwarding + no-remote-forwarding And, not required for me, but for completeness: * add a permitremote that defines ports that the connection may try to listen on All these changes are seemingly trivial, but I haven't had anything to do with the OpenSSH source code previously, so I'm probably not a good judge of these matters. Are there any principal arguments against implementing this changes? If not, what's the best way to proceed, code up a patch and submit it to this list? ciao, -- [*Thomas Themel*] <JonJonB> Purely in the interests of science, I have [extended contact] replaced the word "wand" with "wang" in the first Harry [info provided in] Potter Book. Let's see the results... [*message header*] -> http://bash.org/?111338 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030829/0f439491/attachment.bin
On Fri, Aug 29, 2003 at 02:06:02PM +0200, Thomas Themel wrote:> Are there any principal arguments against implementing this changes? If > not, what's the best way to proceed, code up a patch and submit it to > this list?write a patch and use openssh's bugzilla :)
On Fri, Aug 29, 2003 at 02:06:02PM +0200, Thomas Themel wrote:> Hi, > > I've recently run into a situation where it I want clients (or certain > keys) to connect to an OpenSSH server and set up a remote port > forwarding channel (-R) without allowing them to do anything else.Hmm, do you mean like this? command="/usr/bin/cat",no-X11-forwarding,no-agent-forwarding,\ permitopen="ip1:port1",permitopen="ip2:port2" ssh-rsa AAAA... This works very well for me, although I should at least point cat to /dev/null, or even better code up a client that _only_ does the forwarding. //Peter