I need to limit which ports can be remotely ‘
ssh -R‘ forwarded by an user.
I know about
permitopen option on authorized_keys, but as it says on man page it only limits local ‘
ssh -L‘ port forwarding
As discussed here a user would get the same with
netcat or similar, but in this case user has no shell access
I also found this thread that talks about using selinux or
LD_PRELOAD, but I never configured selinux before and can’t find info on how to do that with
maybe someone have made a patch for openssh to implement that?
I’ve found this bug report so I guess it’s not yet implemented
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R …).
There’s an option
no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 – oldest machine I have access to). Put it in the same place that you would have put
It isn’t possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.
When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn’t prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don’t matter if you can consistently only use sockets.
With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use
Looks like you can use the following?
In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.
So in the Server config add the following