I have a server running Ubuntu and the OpenSSH daemon. Let's call it S1.

I use this server from client machines (let's call one of them C1) to do an SSH reverse tunnel by using remote port forwarding, eg :

ssh -R 1234:localhost:23 login@S1

On S1, I use the default sshd_config file. From what I can see, anyone having the right credentials {login,pwd} on S1 can log into S1 and either do remote port forwarding and local port forwarding. Such credentials could be a certificate in the future, so in my understanding anyone grabbing the certificate can log into S1 from anywhere else (not necessarily C1) and hence create local port forwardings.

To me, allowing local port forwarding is too dangerous, since it allows to create some kind of public proxy. I'm looking for a way tto disable only -L forwardings.

I tried the following, but this disables both local and remote forwarding :

AllowTcpForwarding No

I also tried the following, this will only allow -L to SX:1. It's better than nothing, but still not what I need, which is a "none" option.

PermitOpen SX:1

So I'm wondering if there is a way, so that I can forbid all local port forwards to write something like :

PermitOpen none:none

Is the following a nice idea ?

PermitOpen localhost:1