Dear OpenSSH-Devs, I hope this is the correct place to ask this, if not feel free to ignore it or forward it wherever is better suited. Thank you very much for that! First of all, thank you for this magnificent piece of software :) Secondly, I'd like to ask a question, as the Internet and the manuals don't seem to have the answer. Well, they say it's not possible, but I'd just like to make sure. So here it goes: Is it possible to restrict the ports a certain user is able to open on a remote server? If I create a tunnel like this from the client side, ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o IdentitiesOnly=yes -o UserKnownHostsFile=$known_hosts_file -i /etc/sshquare/id_rsa -R $port:localhost:22 $user@$host would it be possible on the server side to restrict $port to say 10000 and deny it on all other ports. In a way that $user is only allowed to forward a local port and bind it to 0.0.0.0:10000 but nowhere else. I have created a Host entry on the server side that allows GatewayPorts, because I actually want to listen on the public interface and have tried to use a PermitOpen 10000 but as far as I have understood, this is actually for -L forwarding and not the -R I am looking for. Is there any way to do this? Again, thank you very much and a happy New Year to all of you! Cheers, Juanito