![]() ![]() Note that these refer to the target account of the SSH session, not the client username (which is often not known). They specify a list of users or groups that are allowed to use port forwarding the server refuses to honor port forwarding requests for anyone else. The syntax of these is the same as for the AllowUsers and AllowGroups options. In addition, SSH2 has the following options: # SSH2 only The keyword may have the value yes (the default, enabling forwarding) or no (disabling forwarding): # SSH1, SSH2, OpenSSH This is done with the serverwide configuration keyword AllowTcpForwarding in /etc/sshd_config. Port forwarding can be globally enabled or disabled in sshd. Is the following a nice idea ? PermitOpen localhost:1Īnother solution would be to only allow port forwarding to specififc users: So I'm wondering if there is a way, so that I can forbid all local port forwards to write something like : PermitOpen none:none ![]() It's better than nothing, but still not what I need, which is a "none" option. I also tried the following, this will only allow -L to SX:1. I tried the following, but this disables both local and remote forwarding : AllowTcpForwarding No I'm looking for a way tto disable only -L forwardings. To me, allowing local port forwarding is too dangerous, since it allows to create some kind of public proxy. Such credentials could be a certificate in the future, so in my understanding anyone grabbing the certificate can log into S1 from anywhere else (not necessarily C1) and hence create local port forwardings. ![]() From what I can see, anyone having the right credentials on S1 can log into S1 and either do remote port forwarding and local port forwarding. I use this server from client machines (let's call one of them C1) to do an SSH reverse tunnel by using remote port forwarding, eg : ssh -R 1234:localhost:23 S1, I use the default sshd_config file. I have a server running Ubuntu and the OpenSSH daemon. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |