Re: restricting TCP forwarding
- From: julien Touche <julien.touche@xxxxxxxxxxxx>
- Date: Sat, 27 May 2006 11:09:35 +0200
Steven Mocking wrote on 10/05/2006 20:13:
Flash Gordon wrote:With openssh if you set ownership and permissions on .ssh & .ssh/authorized_keys such that the user can't modify it (e.g. owned
by root) you can use the no-port-forwarding option on the key.
Thanks for the info - that works fine for public/private key authentication, but there are some id-10-t issues on the user side of
the equation, so that is not an option. Key authentication wouldn't
work for most SFTP clients anyway.
I did some further digging and apparently there's a patch to add a
Match keyword to sshd so you can do this on a per-user or per-host
basis. Courtesy of Benjamin Donnachie from the scponly mailing list.
Here's the thread: http://bugzilla.mindrot.org/show_bug.cgi?id=1180
please check the man page to see why this doesn't really exist
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is
``yes''. Note that disabling TCP forwarding does not improve se-
curity unless users are also denied shell access, as they can al-
ways install their own forwarders.
.
- References:
- restricting TCP forwarding
- From: Steven Mocking
- Re: restricting TCP forwarding
- From: Richard E. Silverman
- Re: restricting TCP forwarding
- From: Flash Gordon
- Re: restricting TCP forwarding
- From: Steven Mocking
- restricting TCP forwarding
- Prev by Date: Re: I need to know why port forwarding is rejected
- Next by Date: Re: I need to know why port forwarding is rejected
- Previous by thread: Re: restricting TCP forwarding
- Next by thread: SSH problems - suddenly stopped working
- Index(es):
