openssh unix dev - Nov 2000 - implementing port forward restrictions

hi folks,
right now im implementing a quick hack to restrict ports the server will 
allow to be forwarded. This is to heighten security from clients accessing a 
server behind a firewall and as far as I could tell this is not possible with 
ssh so far. 
I think this is a reasonable feature for a release and shouldnt be too hard 
to implement in a way that follows the setup already used in the config and 
sshd handling of connections. I searched the mailing-list archives and found 
a few small references to it but none implied it was being worked on.
When I finish this if the list wants the diffs I'd be happy to supply them. 
I'd like the opinion of the other developers as to a key in the sshd_config 
that would be obvious yet not too long to define the ports, and the layout.
I was thinking 
HostAllowsPortsForwarded 143 2401 etc... space delimited numbers.

cheers,
michael salmon

for -R or -L style forwarding?

these kind of policy configurations should be implmented
with keynote (see rfc2704).

-markus

On Wed, Nov 22, 2000 at 02:14:52PM -0800, michael salmon
wrote:
> hi folks,
> right now im implementing a quick hack to restrict ports the server will 
> allow to be forwarded. This is to heighten security from clients accessing
a
> server behind a firewall and as far as I could tell this is not possible
with
> ssh so far. 
> I think this is a reasonable feature for a release and shouldnt be too hard
> to implement in a way that follows the setup already used in the config and
> sshd handling of connections. I searched the mailing-list archives and
found
> a few small references to it but none implied it was being worked on.
> When I finish this if the list wants the diffs I'd be happy to supply
them.
> I'd like the opinion of the other developers as to a key in the
sshd_config
> that would be obvious yet not too long to define the ports, and the layout.
> I was thinking 
> HostAllowsPortsForwarded 143 2401 etc... space delimited numbers.
> 
> cheers,
> michael salmon
>

michael salmon <ms at speakeasy.org> writes:
> right now im implementing a quick hack to restrict ports the server
> will allow to be forwarded.
We've already done that.  At the moment, I'm porting our modifications
to the current (portable) OpenSSH version.  After that, it will be
released to the general public.

You can have the old version (based on 1.2.3), if you want to.

Here's a manpage excerpt:

CONFIGURATION FILE

...

     ForwardingControl
             Specifies the global forwarding control file (default
             /etc/sshd_forward). See the PORT-FORWARDING FILE FORMAT section
             for details.  This option can be used to restrict port forwarding
             to specific hosts and ports.  It is safe only if the remote user
             is not able to gain interactive access on the server machine and
             to execute arbitrary commands.  The file is not processed if a
             user-specific or RSA-key-specific forwarding control file is pre-
             sent.

...

AUTHORIZED_KEYS FILE FORMAT

...

     port-forwarding-file="FILE"
             Specifies a file which controls port forwarding. The quotes are
             optional.  If the file name does not start with a slash `/', it
             is assumed that the file is located in the directory $HOME/.ssh.
             See the PORT-FORWARDING FILE FORMAT section for details.  This
             option can be used to restrict port forwarding to specific hosts
             and ports.  It is safe only if the remote user is not able to
             gain interactive access on the server machine and to execute ar-
             bitrary commands.

...

PORT-FORWARDING FILE FORMAT
     The file controlling port forwarding is read each time a port forwarding
     request is received from the client and is processed line by line.  Lines
     starting with `#' and empty lines are ignored as comments.  Each line
     which is not a comment consists of two parts, separated by a colon `:',
a
     host list and a port list.

     Host list  This part lists several host names or IP addresses, seperated
                by spaces, and optionally prefixed by an exclamation mark
`!',
                after which whitespace may follow.  An entry without a leading
                `!' is called postive, if a `!' prefix character is
present,
                the entry is called negative.

                A host is said to match an entry in the host list if one or
                more of the following conditions are met (a leading `!' is
ig-
                nored):

                o   The entry specifies the IP address (either in IPv4/dot or
                    IPv6/colon notation) of that host.

                o   The entry is a shell pattern which matches the IP address
                    of that host (in IPv4/dot or IPv6/colon notation, respec-
                    tively).

                o   (This condition applies only to IPv4 hosts.) The entry is
                    an IPv4 address, given in dotted-quad style, followed by a
                    slash `/' and decimal number specifying the number of
set
                    bits in the netmask; and that host lies within this net-
                    work.

                o   The entry is a host name, and one of the corresponding IP
                    addresses matches that of the the given host.

                A host matches the entire host list if and only if at least
                one entry matches, and the last (or rightmost) matching entry
                is positive.

     Port list  This part lists one several TCP ports or port ranges.  A deci-
                mal number from 1 to 65535 specifies a TCP port, two decimal
                numbers in this range, the first one less than the second one,
                and both separated by `-', specify a TCP port range.  Each
en-
                try can be prefixed with an exclamation mark `!', after
which
                whitespace may follow.  Again, a given port is said to match
                the port list if it is contained in the list or lies within a
                specified port range.  The match is called positive if the
                last (or rightmost) matching entry is not prefixed with a
`!',
                otherwise, the match is called negative.

     To determine whether a port forwarding request to a given host and port
     is legal, each non-comment line is processed as follows: If (and only if)
     the host list matches positively, the port list is examined, and if the
     port list matches positively or negatively, this fact is remembered.  A
     port forwarding request is granted if the last remember port list match
     was a positive one, the request is denied if the last match was negative
     or there was not any match at all.

   Examples
     The following port-forwarding file permits forwarding to host somehost on
     port 80, and to any host in the 192.168.2.0/24 class C net, but not to
     192.168.2.1; port forwarding for these hosts is restricted to unprivi-
     leged TCP ports, excluding port 2049.  In addition, forwarding is denied
     for port 27456 on host 129.168.2.2.

     somehost : 80
     192.168.2.0/24 !192.168.2.1 : 1024-65536 !2049
     192.168.2.2 : !27456

...

     $HOME/.ssh/forward
             If this file exists, port forwarding control requests are matched
             against its contents (see section PORT-FORWARDING FILE FORMAT
             above for a description of the file format).  In the
             $HOME/.ssh/authorized_keys file, an alternative file name can be
             specified on a per-key basis.

     /etc/sshd_forward
             Like $HOME/.ssh/forward, this file is used to control port for-
             warding.  A forwarding request is matched against this file if it
             is present, and no user-specific or RSA-key-specific forwarding
             control file is given.

-- 
Florian Weimer 	                  Florian.Weimer at RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898