Port forwarding control options

Matt Johnston matt at ucc.asn.au
Sun Apr 23 00:14:19 WST 2006


On Thu, Apr 20, 2006 at 04:33:45PM -0400, tmassey at obscorp.com wrote:
> Hello!
> 
> I'm looking at using Dropbear to encapsulate non-encrypted protocol 
> traffic (like SMTP).  I would like to limit users' ability to port 
> forwarding to specific hosts and ports.  I have a couple of questions:
> 
> 1) Does Dropbear support this?  I know that the Dropbear website says: 
> "Compatible with OpenSSH ~/.ssh/authorized_keys public key 
> authentication".  But does that mean that it actually obeys "permitopen" 
> information?

Nope, if keys have any restrictions on them, then Dropbear
won't allow those keys to be used. I intend to implement
some of OpenSSH's restriction functionality eventually.

> 2) Is there a more centralized way of controlling this, preferably 
> server-wide?  I would love to be able to limit the entire SSH server to 
> forward to only the specific ports on the specific hosts that I want to 
> access, and use the ~/.ssh/authorized_keys file to define, if necessary, a 
> *subset* of those ports on a per-user basis.

Currently there isn't support for that. It probably wouldn't
be too hard to set up a config file that is loaded and then
compared for each TCP forwarding request. I don't have time
to implement it at the moment though.

> I'm surprised that this seems to be such an undocumented area of limiting 
> SSH's power.  Giving users the ability to port forward to *any* host and 
> *any* port from the outside seems to be significantly dangerous.  What am 
> I missing?

The general case is that users have the ability to run
arbitrary programs on the host anyway, so port forwarding
isn't such a great concern.

Cheers,
Matt


More information about the Dropbear mailing list