limiting scope of reverse port forwarding (-R)

From: Ian! D. Allen (idallen@freenet.carleton.ca)
Date: 11/14/02


From: idallen@freenet.carleton.ca (Ian! D. Allen)
Date: Thu, 14 Nov 2002 17:11:04 +0000 (UTC)

My college has firewalled off the campus so that nobody can connect
to anything useful from outside. I have my Linux machines on campus
"calling home" with ssh (via the crontab) to set up reverse tunnels that
let me get back to the on-campus machines, e.g. something like:

    ssh -i somekey -l someuser -R 123x:localhost:22 idallen.com
    
in all the on-campus Linux machines (where "x" differs among machines).

The problem is, I'm using a password-less public key for this connection
(because it's automated from the crontab) and I want to limit what the
connection can do in case someone steals my key on campus.

In the authorized_keys file on idallen.com, using permitopen="host:port",
I can restrict to which ports the clients can forward via -L (effectively
disabling all such ports - I don't want any tunnelled access to
idallen.com from the clients). I can limit the hosts from which I will
accept connections using from="pattern-list".

I see no way of limiting the range of -R ports that a client may use.

Anyone who steals my key on one of my on-campus Linux machines can
connect to idallen.com and listen on any and all ports they want.

Is this the best I can do for reverse-port-forwarding security?

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada   idallen@ncf.ca
       Home Page on the Ottawa FreeNet: http://www.ncf.ca/~aa610/
       College professor at: http://www.algonquincollege.com/~alleni/
       Board Member, TeleCommunities CANADA  http://www.tc.ca/