As subject:
I'd like to suggest the following additions to OpenSSH to add extra
logging and security features around tunneling
1) When a SSH Tunnel is set up the SSH server should log (with an
appropriate LogLevel setting VERBOSE, DEBUG?) the user and the dest
ip/port combination setup, to enable sensible auditing controls to be in
place for forwarded connections.
2) Add a new sshd_config option to control port forwarding based based on
forwarded destination IPs and ports e.g.
AllowForwardingTo *:80
AllowForwardingTo 1.2.3.4:8080
AllowForwardingTo 6.7.8.9
DenyForwardingTo *
3) If possible restrict forwarding on a per group/user basis at the global
configuration level, rather than on an individual basis in there
authorized_keys file.
Cheers
Gareth
