How can I limit ssh *remote* port forwarding?

I need to limit which ports can be remotely ‘ssh -R‘ forwarded by an user.

I know about permitopen option on authorized_keys, but as it says on man page it only limits local ‘ssh -L‘ port forwarding

As discussed here a user would get the same with netcat or similar, but in this case user has no shell access

I also found this thread that talks about using selinux or LD_PRELOAD, but I never configured selinux before and can’t find info on how to do that with LD_PRELOAD.

maybe someone have made a patch for openssh to implement that?

I’ve found this bug report so I guess it’s not yet implemented


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:

add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R …).

Method 2

There’s an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 – oldest machine I have access to). Put it in the same place that you would have put permitopen.

Method 3

It isn’t possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.

When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn’t prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don’t matter if you can consistently only use sockets.

With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes:

How to cleanup SSH reverse tunnel socket after connection closed?

Method 4


Looks like you can use the following?

In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.

So in the Server config add the following

PermitOpen host:port

PermitOpen IPv4_addr:port

PermitOpen [IPv6_addr]:port

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments