Re: Prevent some port forwarding
From: Tony Finch (dot_at_dotat.at)
Date: 06/07/04
- Next message: Gregory Cain: "Oops..."
- Previous message: Mikhail Teterin: "Re: SSH as a VPN Client?"
- In reply to: Darren Tucker: "Re: Prevent some port forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 07 Jun 2004 18:01:37 +0100 (BST)
dtucker@dodgy.net.au (Darren Tucker) wrote:
>doff <lefevred.antispoum@free.fr> wrote:
>>is there a way in openssh, to tell sshd to accept port forwarding, only
>>for one or two ports and reject others ?
>
>Yes, if you're using public-key authentication. It's in the sshd
>man page under "AUTHORIZED_KEYS FILE FORMAT":
>
> permitopen="host:port"
> Limit local ``ssh -L'' port forwarding such that it may only con-
> nect to the specified host and port. IPv6 addresses can be spec-
> ified with an alternative syntax: host/port. Multiple permitopen
> options may be applied separated by commas. No pattern matching
> is performed on the specified hostnames, they must be literal
> domains or addresses.
However users can usually overwrite the authorized_keys file to get around
the restriction.
You might be interested in the patch in the following post to the
openssh-unix-dev list. It hasn't been updated to a recent version
of openssh, I'm afraid, so it might not be totally easy to deploy.
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104387691708672&w=2
Tony.
-- f.a.n.finch <dot@dotat.at> http://dotat.at/ SELSEY BILL TO LYME REGIS: VARYING BETWEEN SOUTH AND EAST 3 OR LESS. MAINLY FAIR. MODERATE OR GOOD. SLIGHT.
- Next message: Gregory Cain: "Oops..."
- Previous message: Mikhail Teterin: "Re: SSH as a VPN Client?"
- In reply to: Darren Tucker: "Re: Prevent some port forwarding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
