Hi,
I'm looking for the best way to include an external decision mechanism into
OpenSSH, which allows it to restrict port forwarding only to destination
ports which are defined in a special external control file for the
authenticated session. The authenticated ssh user should only be allowed to
connect to this dedicated port to tunnel a VNC session through ssh. So the
server side has to decide if the received client data in the ssh channel
could be forwarded or not.
Does there already exist a solution for the current OpenSSH version?
Last year I read in a mailing list, that such behavior was included in
earlier versions of OpenSSH.
Regards,
Roland
RR_ITCSEC wrote:> Hi, > > I'm looking for the best way to include an external decision mechanism into > OpenSSH, which allows it to restrict port forwarding only to destination > ports which are defined in a special external control file for the > authenticated session. The authenticated ssh user should only be allowed to > connect to this dedicated port to tunnel a VNC session through ssh. So the > server side has to decide if the received client data in the ssh channel > could be forwarded or not. > Does there already exist a solution for the current OpenSSH version? > > Last year I read in a mailing list, that such behavior was included in > earlier versions of OpenSSH.you can add permitopen= to the keys: permitopen="host:port" Limit local ``ssh -L'' port forwarding such that it may only con- nect to the specified host and port. IPv6 addresses can be spec- ified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. frank ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de