This is a discussion on Re: Question about port forwarding ACL - openssh ; Artem Dmytrenko wrote: > I apologize in advance if this question has been answered before, but > unfortunately I could not find any good references online. This question > is with respect to OpenSSH 4.2p1. > > Is it possible ...
Artem Dmytrenko wrote:
> I apologize in advance if this question has been answered before, but
> unfortunately I could not find any good references online. This question
> is with respect to OpenSSH 4.2p1.
> Is it possible to configure access control for forwarded ports? For
> example, let's say there is a mix of services running on localhost. Some
> of those services are secure (e.g. check for passwords, etc) and some
> are not intended to be accessed from outside (maybe they allow
> unauthorized access to privileged resources). Is it possible to
> configure ssh daemon so that it can enable forwarding to some ports but
> not others? For example, allow port forwarding to "localhost, ports
> 1000-5000", prohibit access to all other ports.
In OpenSSH 4.2 you can restrict port forwards via key options in
authorized_keys, but that only works for public-key authentications.
In 4.4 and newer, you can use the new "Match" and "PermitOpen"
directives in sshd_config to do the same thing regardless of the
authentication type (but see bug #1267 if you want to specify multiple
destinations). It doesn't do ranges, though.
If your platform supports it, another possible option is to use a local
packet filter that matches the user (eg Linux's iptables --uid-owner or
pf "user" rules on OpenBSD). This will only work if you have privilege
separation enabled so the sshd doing the forwarding is running with the
UID of the logged-in user.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.