I can restrict certain SSH users/keys from doing shell commands by putting
something like:

command="false"

on the line with their public key in the authorized_keys file, allowing
them to do only that one command, or to use the -N option to do no command.
That way they can do -L and -R to set up secure TCP paths.

For some users, I'd like to further limit this so they can only do -L and
not do -R at all. I could use:

no-port-forwarding

on the key line in the authorized_keys file, but that would turn off BOTH
-L and -R. But I want to leave -L on.

Perhaps permitopen="hostort" might work for SOME of these users, since
a subset only needs to connect to one specific hostort. But some others
might need to do more than that. I may even want to let them do -D.
I just don't want them to do -R at all.

Any ideas? Something I overlooked?

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2008-01-29-2233@ipal.net |
|------------------------------------/-------------------------------------|