Howto disable SSH local port forwarding ?
Posted
by
SCO
on Super User
See other posts from Super User
or by SCO
Published on 2011-01-06T09:38:16Z
Indexed on
2011/01/06
9:56 UTC
Read the original article
Hit count: 293
I have a server running Ubuntu and the OpenSSH daemon. Let's call it S1.
I use this server from client machines (let's call one of them C1) to do an SSH reverse tunnel by using remote port forwarding, eg :
ssh -R 1234:localhost:23 login@S1
On S1, I use the default sshd_config file. From what I can see, anyone having the right credentials {login,pwd} on S1 can log into S1 and either do remote port forwarding and local port forwarding. Such credentials could be a certificate in the future, so in my understanding anyone grabbing the certificate can log into S1 from anywhere else (not necessarily C1) and hence create local port forwardings.
To me, allowing local port forwarding is too dangerous, since it allows to create some kind of public proxy. I'm looking for a way tto disable only -L forwardings.
I tried the following, but this disables both local and remote forwarding :
AllowTcpForwarding No
I also tried the following, this will only allow -L to SX:1. It's better than nothing, but still not what I need, which is a "none" option.
PermitOpen SX:1
So I'm wondering if there is a way, so that I can forbid all local port forwards to write something like :
PermitOpen none:none
Is the following a nice idea ?
PermitOpen localhost:1
© Super User or respective owner