We have a public server which accepts SSH connections from multiple clients behind firewalls.

Each of these clients create a Reverse SSH tunnel by using the ssh -R command from their web servers at port 80 to our public server.

The destination port(at the client side) of the Reverse SSH Tunnel is 80 and the source port(at public server side) depends on the user. We are planning on maintaining a map of port addresses for each user.

For example, client A would tunnel their web server at port 80 to our port 8000; client B from 80 to 8001; client C from 80 to 8002.

Client A: ssh -R 8000:internal.webserver:80 clienta@publicserver

Client B: ssh -R 8001:internal.webserver:80 clientb@publicserver

Client C: ssh -R 8002:internal.webserver:80 clientc@publicserver

Basically, what we are trying to do is bind each user with a port and not allow them to tunnel to any other ports.

If we were using the forward tunneling feature of SSH with ssh -L, we could permit which port to be tunneled by using the permitopen=host:port configuration. However, there is no equivalent for reverse SSH tunnel.

Is there a way of restricting reverse tunneling ports per user?