On Thu, Nov 23, 2006 at 06:26:03PM +0100, Alexander Tampermeier wrote: > When using remote port forwarding: Is there a way to restrict the client in > the number of remote forwarding ports? In other words: I want the client to > be restricted, so that he can only remote-forward "ssh > -R15555:localhost:15000" and no other port on the server except 15000. > Without such a restriction the client would be able to "redirect" arbitrary > host-ports to where ever he likes.
If I understand what you're asking, it's probably worth pointing out that it's already possible to do this kind of port redirection in general with TCP/IP without dealing with SSH's port redirection... there's not much you can do to prevent it. Anyone capable of writing socket code in C can write a program to redirect any port to anywhere in maybe a couple of dozen lines. All that's required to do this is that the user have access to a machine which can connect to the host/ports he wants to, and access to a C compiler on some machine which is capable of producing executables which will run on the target proxy machine. This technique can be used to get around your local port forward limitations, as well, assuming the user has shell access to the machine. Anyone who really wants to do this is probably going to do it whether you explicitly allow it or not. Someone's probably already written a free program to do this kind of port redirection, which can be downloaded freely. It might even have pre-comiled binaries for your platform(s). Another way to accomplish the same thing without writing the code is to use a Linux box that one has root access to (or similar) to use firewall rules to do network address / port translation. Worse yet, these methods of circumventing access will not use encryption... any traffic they redirect this way will not be encrypted (unless they're redirecting a service that inherently uses encryption already). So you're probably better off not bothering to try to lock this down... at least, not by restricting SSH's ability to forward ports. At least then, you can be sure the traffic will be encrypted. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgp0lJbgezRaL.pgp
Description: PGP signature