I'm curious as to whether or not there is a way to restrict forwarded ports
server side. For instance, I'm running an IRC server and am allowing users
to connect via ssh forwarding (so I can take advantange of using openssh's
public key method for authentication). Each client I tell to setup their
~/.ssh/config in a certain way, but the relevant line is:
LocalForward 6667 localhost:42000
where port 42000 is what ircd is listening to on the server. This works
great, but my concern is a user changing this to localhost:3306 to gain
access to MySQL, which is firewalled off.
Reading O'Reilly's book on ssh, I see that F-Secure has a config option
"AllowForwardingPort" to allow a range of ports that can be forwarded,
but
no mention of openssh having the same functionality.
Basically, what I'd like to see in my (server-side) authorized_keys file is
something like:
no-pty,command="sleep 20",allowforwardingport="42000"
ssh-dss [key]
So that I can restrict what ports can be forwarded on a per-account basis (I
only want this restriction for this one "general" user that everyone
uses to
obtain access to the IRC server).
I know the book is a little dated, but has anything like this appeared in
openssh yet? If not, are there perhaps plans to do something like this? I
think it could be invaluable. Or, if there are no plans, does anyone have
any ideas how I could implement something like this?
Thanks very much in advance.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030314/ca7e7a82/attachment.bin