Port forwarding control options
matt at ucc.asn.au
Sun Apr 23 00:14:19 WST 2006
On Thu, Apr 20, 2006 at 04:33:45PM -0400, tmassey at obscorp.com wrote:
> I'm looking at using Dropbear to encapsulate non-encrypted protocol
> traffic (like SMTP). I would like to limit users' ability to port
> forwarding to specific hosts and ports. I have a couple of questions:
> 1) Does Dropbear support this? I know that the Dropbear website says:
> "Compatible with OpenSSH ~/.ssh/authorized_keys public key
> authentication". But does that mean that it actually obeys "permitopen"
Nope, if keys have any restrictions on them, then Dropbear
won't allow those keys to be used. I intend to implement
some of OpenSSH's restriction functionality eventually.
> 2) Is there a more centralized way of controlling this, preferably
> server-wide? I would love to be able to limit the entire SSH server to
> forward to only the specific ports on the specific hosts that I want to
> access, and use the ~/.ssh/authorized_keys file to define, if necessary, a
> *subset* of those ports on a per-user basis.
Currently there isn't support for that. It probably wouldn't
be too hard to set up a config file that is loaded and then
compared for each TCP forwarding request. I don't have time
to implement it at the moment though.
> I'm surprised that this seems to be such an undocumented area of limiting
> SSH's power. Giving users the ability to port forward to *any* host and
> *any* port from the outside seems to be significantly dangerous. What am
> I missing?
The general case is that users have the ability to run
arbitrary programs on the host anyway, so port forwarding
isn't such a great concern.
More information about the Dropbear