similar to: authorized_keys options for remote forwarding

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was setting up sshd on a netbsd box to allow cygwin users to auto-ssh in, and be rsync'ed. I wanted to secure the install such that a compromised or stolen cygwin client could not be used to attack the sshd server. Setting shell to /usr/bin/false and using -N client side were helpful. I disabled portforwarding for the client sshkey, and

I've just discovered the permitopen flag. We need such a feature for our poor man's VPN services, but this flag seems to be usable only if you generate your authorized_keys file from a database or something like that: keeping a long list of host/port combinations up to date for several users and keys is no fun. As announced before, we have developed a far more powerful mechanism for

https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Priority: P5 Bug ID: 2038 Assignee: unassigned-bugs at mindrot.org Summary: permitopen functionality but for remote forwards Severity: enhancement Classification: Unclassified OS: Other Reporter: damonswirled at gmail.com Hardware: Other

https://bugzilla.mindrot.org/show_bug.cgi?id=3159 Bug ID: 3159 Summary: authorized_keys: gap in port forwarding restrictions Product: Portable OpenSSH Version: 8.0p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs

Hi, I'm looking for the best way to include an external decision mechanism into OpenSSH, which allows it to restrict port forwarding only to destination ports which are defined in a special external control file for the authenticated session. The authenticated ssh user should only be allowed to connect to this dedicated port to tunnel a VNC session through ssh. So the server side has to

http://bugzilla.mindrot.org/show_bug.cgi?id=1326 Summary: Allow non-public-key credentials in authorized_keys file (Kerberos, etc.) Product: Portable OpenSSH Version: 4.4p1 Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: Kerberos support

https://bugzilla.mindrot.org/show_bug.cgi?id=1857 Summary: [RFE] restrict port forwarding to localhost Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

Here's another patch for people providing ssh access to restricted environments. We allow our users to use port forwarding when logging into our mail servers so that they can use it to fetch mail over an encrypted channel using clients that don't support TLS, for example fetchmail. (In fact, fetchmail has built-in ssh support.) However we don't want them connecting to other places

Hi, Is there a way to restrict port forwarding on the server? I want only port 8080 on the server to be available to clients. Example when i give this command clients should be able to connect: ssh -L 30300:localhost:8080 .... When i give this for example clients should not be able to connect: ssh -L 30300:localhost:4040 .... I tried this option in config file of server: PermitOpen

https://bugzilla.mindrot.org/show_bug.cgi?id=1513 Summary: CIDR address/masklen matching support for permitopen= Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

I have a need to add some server-side ACL functionality to the way ssh handles port forwarding. For a first pass, I want to be able to restrict -L port forwarding to localhost on the server only and I want to be able to specify the ports on Server. I was wondering if there would be any desire to incorporate said changes back into the main development tree? If so, are there coding guildlines

Hi all, I have a server where I allow some people to do SSH port forwarding for SVN, GIT, since I need to do that to access these services in certain locations. I can't access SVN ports in some work locations. Thing is, I also give specific access to some user accounts, mainly git and svn user, to some people I don't fully trust to have access to my VNC server, which is without password

https://bugzilla.mindrot.org/show_bug.cgi?id=1949 Bug #: 1949 Summary: PermitOpen none option Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: OpenBSD Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=1267 Summary: PermitOpen - Multiple forwards don't works Product: Portable OpenSSH Version: v4.5p1 Platform: ix86 OS/Version: Cygwin on NT/2k Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org

Hi Phillipp, developers; I likewise just submitted a patch for similar. It i buried under the thread named OpenSSH contract development / patch. At the request of the OpenSSH dev team, I submitted our patch in the mindrot Bugzilla https://bugzilla.mindrot.org/show_bug.cgi?id=2711 Your patch, I see is available there too https://bugzilla.mindrot.org/show_bug.cgi?id=2716 Anyhow, just drawing

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could

Hi, Is it possible to restrict a client port-forwarding to one port? For example i want client X to open only port 1037 on server through port-forwarding, client Y only port 1038 and so on... How can this be possible? I use private/public keys authentication. Client version is openssh3.8p1, is windows client, and server version is latest openssh on a linux machine. Can anyone help please? Thank

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in