Port forwarding customised - SSH

This is a discussion on Port forwarding customised - SSH ; Hello, I try to set up a sshd server with port forwarding. Now I want to permit port forwarding for specific port: User A can forward all ports, User B can forward port 365 and port 1033, User C can ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Port forwarding customised

  1. Port forwarding customised

    Hello,

    I try to set up a sshd server with port forwarding.
    Now I want to permit port forwarding for specific port:
    User A can forward all ports,
    User B can forward port 365 and port 1033,
    User C can forward port 1200 to 1300.

    I hope someone has got a solution.

    Thanks for help

    Tristan

  2. Re: Port forwarding customised

    On 2006-07-07, tristan <"tristan dot dupont at free dot fr"> wrote:
    > Hello,
    >
    > I try to set up a sshd server with port forwarding.
    > Now I want to permit port forwarding for specific port:
    > User A can forward all ports,
    > User B can forward port 365 and port 1033,
    > User C can forward port 1200 to 1300.
    >
    > I hope someone has got a solution.


    The following applies to OpenSSH, if you're using something else then you
    will need to mention what you're using.

    If you're using public-key authentication then you can use the "permitopen"
    key options to do this.

    Richard Silverman will say (if he hasn't already; I've been busy and
    haven't stopped by here in a while) that authentication and authorization
    are two orthogonal concepts and should not be so intertwined.

    In the next release (ie 4.4, it's already in the snaps), sshd will allow
    per-user (and per source address) configuration directives: currently
    only a small subset but including some of those that were traditionally
    only available as key options.. The above would be:

    AllowTcpForwarding no

    Match User usera
    AllowTcpForwarding yes

    Match User userb
    AllowTcpForwarding yes
    PermitOpen host:365 host:1033

    Match User userc
    AllowTcpForwarding yes
    PermitOpen host:1200 host:1201 [...]
    [and so on, unfortunately permitopen doesn't understand ranges]

    There's no "PermitListen" equivalent for remote port forwarding, though.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: Port forwarding customised

    >>>>> "DT" == Darren Tucker writes:

    DT> Richard Silverman will say (if he hasn't already; I've been busy
    DT> and haven't stopped by here in a while) that authentication and
    DT> authorization are two orthogonal concepts and should not be so
    DT> intertwined.

    Hmmm... getting predictable in my old age.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: Port forwarding customised

    Darren,

    > The following applies to OpenSSH, if you're using something else then you
    > will need to mention what you're using.


    Do you know other alternatives to OpenSSH? I mean, reliable, with
    minimum vulnerabilites, and with support for the topic of this thread?
    I need to control how my users connect to a server, and restrict to
    where they connect, for security reasons, obviously.

    Thank you.


    Juan


  5. Re: Port forwarding customised

    On 2006-08-05, Juan Jose Costello Levien wrote:
    > Darren,
    >
    >> The following applies to OpenSSH, if you're using something else then you
    >> will need to mention what you're using.

    >
    > Do you know other alternatives to OpenSSH? I mean, reliable, with
    > minimum vulnerabilites, and with support for the topic of this thread?


    I'm not aware of any, but I'm not exactly impartial here so I'll let
    someone else answer that one...

    > I need to control how my users connect to a server, and restrict to
    > where they connect, for security reasons, obviously.


    Note that if the users have shell access they can use external forwarders
    (eg netcat) bypassing whatever restrictions the SSH server puts on them.

    If your OS supports it you could use packet filter rules on locally
    originated connections to enforce your restrictions (eg "owner" rules in
    Linux's iptables or "user" rules in OpenBSD's pf). Those would cover
    external forwarders as well as sshd's port forwarding.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  6. Re: Port forwarding customised

    On 2006-08-06, Darren Tucker wrote:
    > If your OS supports it you could use packet filter rules on locally
    > originated connections to enforce your restrictions (eg "owner" rules in
    > Linux's iptables or "user" rules in OpenBSD's pf). Those would cover
    > external forwarders as well as sshd's port forwarding.


    .... if you're using OpenSSH, and as long as you have
    UsePrivilegeSeparation enabled (which is the default).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread