> From: Juanito <juam at posteo.net>> > If I create a tunnel like this from the client side, > > ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o IdentitiesOnly=yes -o UserKnownHostsFile=$known_hosts_file -i /etc/sshquare/id_rsa -R $port:localhost:22 $user@$host > > would it be possible on the server side to restrict $port to say 10000 > and deny it on all other ports. In a way that $user is only allowed to > forward a local port and bind it to 0.0.0.0:10000 but nowhere else. > > I have created a Host entry on the server side that allows GatewayPorts, > because I actually want to listen on the public interface and have tried > to use a PermitOpen 10000 but as far as I have understood, this is > actually for -L forwarding and not the -R I am looking for. I'm not sure exactly what you're asking. The -R argument to ssh causes the remote sshd to forward one port back to localhost:22. What that port is depends on the value of the -R argument, which in your case is constructed using $port. But you haven't told us the value of $port in this shell when this command is executed. Remember: The shell substitutes in the values of all the variables to create the effective command line, which contains no variable references. Then it runs ssh, giving it the argument values that are in the effective command line. ssh does *not* see any variables. Dale
Hi Dale, Thanks for your mail.> I'm not sure exactly what you're asking.? The -R argument to ssh causes > the remote sshd to forward one port back to localhost:22.? What that > port is depends on the value of the -R argument, which in your case is > constructed using $port.? But you haven't told us the value of $port in > this shell when this command is executed. >In my example, where I didn't express myself very clearly, I meant port to be 10000. The idea would be for port 10000 on the server to redirect to port 22 (ssh) on the device I wish to reach. So I could do something like: ssh -p 10000 user at server to connect to port 22 on the device. So the device would use autossh to create such a tunnel, and shouldn't be able to open a tunnel in any other port other than 10000 with a command similar to this: ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o IdentitiesOnly=yes -R 10000:localhost:22 user at server I hope I managed to express myself a little better :) Thanks again! Cheers, Juanito
Hello again, Actually I just found this, which I believe is exactly what I need but doesn't seem to be implemented: https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Thank you again! Cheers, Juanito
On 1/2/18 10:24 AM, Juanito wrote:> In my example, where I didn't express myself very clearly, I meant port > to be 10000. The idea would be for port 10000 on the server to redirect > to port 22 (ssh) on the device I wish to reach.You need to be clearer about the names of the machines involved. I assume that your initial ssh is from "the client" to "the server". You want all attempts to connect to port 10000 on the server to be forwarded to port 22 on "the device you wish to reach", which is a third host.> So I could do something like: > > ssh -p 10000 user at server > > to connect to port 22 on the device.This is straightforward: If you use the arguments "-R 10000:device:22", then any attempt to connect to port 10000 on the server will be transported back to the client, from which it will be an outgoing TCP connection to port 22 on "device". Dale