Re: Restrict a client port-forward to 1 port



Hi,

Thank you so much all for the suggestions :)))

Same as Peter i believe that this should be a feature of OpenSSH,
restrict not only local port along with a public key, but remote port
also. This will solve my problem. So please if someone can implement
this would be great...

In the meantime i will try handle with Linux suggestions...
Problem with this approach is that all my clients connect to server
with same user. And from your suggestions i see that i can bind a port
to an user to do the restriction.
Is there any other way to do this? Like bind ip of the client with a port?
Right now only way to identify uniquely a client in my server is by
it's public key in authorized_keys, that's why this feature would of
been nice in ssh to be implemented ...

Thank you so much all,
Adriana

On Sun, Aug 16, 2009 at 01:15, Peter Stuge<peter@xxxxxxxx> wrote:
Hi Adriana,

Adriana Rodean wrote:
If ssh can't i'm thinking maybe Linux can...
I mean restrict only client X (which is behind a certain ip
address) to listen to port 1037 on the server.

No, if this is going to happen it has to happen in the SSH server.

OpenSSH can do this if each client has their own private SSH key, and
are using it for authentication.

As was suggested you would then disable all other authentication
methods than publickey in sshd, disallow generic port forwarding, and
include a permitopen directive for each client public key in
~/.ssh/authorized_keys

If you wish for it to function differently, keep in mind that one
really wonderful property of open source software such as OpenSSH
(and Linux) is that you yourself, or a contractor, can implement the
functionality you desire, exactly the way you like it. Of course it
is appreciated if any changes are made in agreement with developers,
and contributed back (posted to this mailing list) once finished.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




Relevant Pages

  • Re: probs with openssh(hpux) <==> ssh(win-nt)
    ... on the client side, we have have openssh ... "SSH and OpenSSH use different public key file formats" ...
    (comp.security.ssh)
  • openssh and public keys connection
    ... is it possible to configure openssh so that it only allows connection ... if the client already has the server's public key and rejects ...
    (comp.security.ssh)
  • Re: thin client com ports
    ... I'm glad that you got at least one more client working! ... MCSE, CCEA, Microsoft MVP - Terminal Server ... the COM port settings? ... I am testing several thin clients. ...
    (microsoft.public.windows.terminal_services)
  • Re: network installation manager
    ... there is a firewall between master and client machines, ... NIM Communication within a Firewall Environment ... master via nimclient calls to the nimesis daemon. ... reserved port range of 1023-513. ...
    (comp.unix.aix)
  • help: using smtp.gmail.com as SMART_HOST
    ... with my Google gmail address. ... is pop.gmail.com, using port 995. ... Retrieving mail is not the problem since my Google searches ... client, I believe the term is) to send my mail to Google's ...
    (comp.mail.sendmail)