How can I limit ssh *remote* port forwarding?

ssh security port-forwarding
9,132

Solution 1

This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:

add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...).

Solution 2

There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.

Share:
9,132

Related videos on Youtube

Lluís
Author by

Lluís

Updated on September 18, 2022

Comments

  • Lluís
    Lluís over 1 year

    I need to limit which ports can be remotely 'ssh -R' forwarded by an user.

    I know about permitopen option on authorized_keys, but as it says on man page it only limits local 'ssh -L' port forwarding

    As discussed here a user would get the same with netcat or similar, but in this case user has no shell access

    I also found this thread that talks about using selinux or LD_PRELOAD, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD.

    maybe someone have made a patch for openssh to implement that?

    EDIT: I've found this bug report so I guess it's not yet implemented

    • alex88
      alex88 over 7 years
      Have you found a solution for this?
    • Lluís
      Lluís over 7 years
      I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
  • gertvdijk
    gertvdijk over 11 years
    Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
  • Lluís
    Lluís over 11 years
    Yes, I need to allow some ports forwarding
  • davesave
    davesave over 7 years
    Will there ever be a solution to this (beside iptables)?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to create a restricted SSH user for port forwarding?
Help! My server has been hacked - .IptabLes and .IptabLex in /boot
SSH from external network refused
How do I set up an SSH SOCKS proxy with Gnome SSH Tunnel Manager?
How can I visit external website through ssh forwarding through a single port?
List ports forwarded by myself from ssh?
Ubuntu - saying your security settings have blocked an application from running with an out-of-date version of java
Does reinstalling openssh-server change the host key?
Disable interactive SSH at user-level
Disable all Logging in Ubuntu Server