sen_ml at eccosys.com
1999-Dec-18 02:45 UTC
limiting port forwarding? (do better than just 'on' or 'off'?)
hello- i would like to be able to have users access a specific set of ports (and no others) on a machine running an ssh daemon via ssh's port-forwarding. i was thinking of doing this by not providing shell access (so using an appropriate command="command" option in each user's authorized_keys file), but i did not find an appropriate keyword for the sshd configuration file to control which ports should be permitted to be forwarded. i know about the AllowTcpForwarding keyword, but it does not appear to allow the granularity of control i would like, to put it mildly ;-) is there currently a way to accomplish what is described above? if not, how hard would it be to implement the ability to limit port-forwarding of server (the one that is running the sshd being connected to) ports to certain specific ports? further, would it be difficult to do this on a per rsa key basis and/or per user basis? thanks for your time.
Damien Miller
1999-Dec-21 10:37 UTC
limiting port forwarding? (do better than just 'on' or 'off'?)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 18 Dec 1999 sen_ml at eccosys.com wrote:> hello- > > i would like to be able to have users access a specific set of > ports (and no others) on a machine running an ssh daemon via ssh's > port-forwarding. > > i was thinking of doing this by not providing shell access (so > using an appropriate command="command" option in each user's > authorized_keys file), but i did not find an appropriate keyword > for the sshd configuration file to control which ports should be > permitted to be forwarded. i know about the AllowTcpForwarding > keyword, but it does not appear to allow the granularity of control > i would like, to put it mildly ;-)I was thinking of doing something along these lines. The mechanism I had in mind was a /etc/ssh/portforward file (suggestions for a better name welcomed) containing the following fields: username group remote_addr remote_port username could be a name, uid or an asterisk meaning "any" group could be a name, gid or an asterisk meaning "any" remote_addr could be a hostname, ip address or network in CIDR format remote_port could be a service name, port, port range (numbers with a hyphen between them) or an asterisk. That which is not implicitly allowed would be denied. We could ship a default file of "* * * *" for backwards compatibility. Thoughts? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4X1iDormJ9RG1dI8RAku1AJ9oWM0Vtxs193dQ0z5AstEpgQWOkACdEbcF S8vwv+jrZOupHEun8Psfatw=Q1GP -----END PGP SIGNATURE-----