Re: Port forwarding and access restriction

Hi Izak,

Thanks for your answer, but I think I didn't make myself clear enough (or I simply didn't understand your answer, which is still possible...). I don't want to restrict access to SSH logins, I want to restrict access to a local port forwarding. Here's the complete story.

I have a server A that can SSH to a computer B. On B, I have a VNC service running that I want to make available to a 3rd-party user. To do that, I create a SSH tunnel from A to B, forwarding the port 36725 on A to the port 5900 on B, making the local port on A accessible from the outside world:

ssh -L *:36725:localhost:5900 user@B

Now the user uses a VNC client to connect to A:36725. What I'd like to know is whether I can impose access restriction on A:36725, for instance by limiting the number of accepted connections.

In your answer, you mention settings in sshd_config. These are for the SSH daemon, right? Do these also apply to the SSH client that is doing port forwarding?

Max Jaxon a écrit :
Hi Michael,

Limit User Logins

SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config. For example:

AllowUsers alice bob
and then restart the Daemon

Kind Regards,


On Fri, Jan 29, 2010 at 12:06 PM, Michael Goffioul <michael.goffioul@xxxxxxxxxx <mailto:michael.goffioul@xxxxxxxxxx>> wrote:


When creating a local port forwarding with SSH (using the -L
command flag), is
it possible to limit the number of clients that will be able to
connect to the
local port?

Let's say I do:

ssh -L user@hostname

Can I limit the number of accepted clients on port 36725?


Michael Goffioul
Software Engineer

Lincor Solutions Ltd.
Unit 6
Cork Technology Park, Model Farm Road, Cork

Tel: +353 21 4941618
Fax: +353 21 4342400
E-mail: michael.goffioul@xxxxxxxxxx

Met vriendelijke groet/ Kind Regards,

Izak Schipper MCSE Security+,CWNA,CCNA,C|PTS,C|EH,CISSP

Infrastructure Security Specialist

Tel: +31 (0) 6 3850 63 26