limiting scope of reverse port forwarding (-R)

From: Ian! D. Allen (
Date: 11/14/02

From: (Ian! D. Allen)
Date: Thu, 14 Nov 2002 17:11:04 +0000 (UTC)

My college has firewalled off the campus so that nobody can connect
to anything useful from outside. I have my Linux machines on campus
"calling home" with ssh (via the crontab) to set up reverse tunnels that
let me get back to the on-campus machines, e.g. something like:

    ssh -i somekey -l someuser -R 123x:localhost:22
in all the on-campus Linux machines (where "x" differs among machines).

The problem is, I'm using a password-less public key for this connection
(because it's automated from the crontab) and I want to limit what the
connection can do in case someone steals my key on campus.

In the authorized_keys file on, using permitopen="host:port",
I can restrict to which ports the clients can forward via -L (effectively
disabling all such ports - I don't want any tunnelled access to from the clients). I can limit the hosts from which I will
accept connections using from="pattern-list".

I see no way of limiting the range of -R ports that a client may use.

Anyone who steals my key on one of my on-campus Linux machines can
connect to and listen on any and all ports they want.

Is this the best I can do for reverse-port-forwarding security?

-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       Home Page on the Ottawa FreeNet:
       College professor at:
       Board Member, TeleCommunities CANADA