How can I limit ssh *remote* port forwarding?
up vote
21
down vote
favorite
I need to limit which ports can be remotely 'ssh -R
' forwarded by an user.
I know about permitopen
option on authorized_keys, but as it says on man page it only limits local 'ssh -L
' port forwarding
As discussed here a user would get the same with netcat
or similar, but in this case user has no shell access
I also found this thread that talks about using selinux or LD_PRELOAD
, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD
.
maybe someone have made a patch for openssh to implement that?
EDIT:
I've found this bug report so I guess it's not yet implemented
ssh security port-forwarding
add a comment |
up vote
21
down vote
favorite
I need to limit which ports can be remotely 'ssh -R
' forwarded by an user.
I know about permitopen
option on authorized_keys, but as it says on man page it only limits local 'ssh -L
' port forwarding
As discussed here a user would get the same with netcat
or similar, but in this case user has no shell access
I also found this thread that talks about using selinux or LD_PRELOAD
, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD
.
maybe someone have made a patch for openssh to implement that?
EDIT:
I've found this bug report so I guess it's not yet implemented
ssh security port-forwarding
Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50
I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12
add a comment |
up vote
21
down vote
favorite
up vote
21
down vote
favorite
I need to limit which ports can be remotely 'ssh -R
' forwarded by an user.
I know about permitopen
option on authorized_keys, but as it says on man page it only limits local 'ssh -L
' port forwarding
As discussed here a user would get the same with netcat
or similar, but in this case user has no shell access
I also found this thread that talks about using selinux or LD_PRELOAD
, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD
.
maybe someone have made a patch for openssh to implement that?
EDIT:
I've found this bug report so I guess it's not yet implemented
ssh security port-forwarding
I need to limit which ports can be remotely 'ssh -R
' forwarded by an user.
I know about permitopen
option on authorized_keys, but as it says on man page it only limits local 'ssh -L
' port forwarding
As discussed here a user would get the same with netcat
or similar, but in this case user has no shell access
I also found this thread that talks about using selinux or LD_PRELOAD
, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD
.
maybe someone have made a patch for openssh to implement that?
EDIT:
I've found this bug report so I guess it's not yet implemented
ssh security port-forwarding
ssh security port-forwarding
edited Dec 22 '16 at 19:57
umläute
4,5381433
4,5381433
asked Dec 28 '12 at 13:42
Lluís
500512
500512
Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50
I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12
add a comment |
Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50
I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12
Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50
Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50
I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12
I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12
add a comment |
4 Answers
4
active
oldest
votes
up vote
1
down vote
accepted
This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
New contributor
add a comment |
up vote
4
down vote
There's an option no-port-forwarding
that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen
.
12
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
2
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
add a comment |
up vote
0
down vote
It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.
When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.
With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes
:
How to cleanup SSH reverse tunnel socket after connection closed?
add a comment |
up vote
-1
down vote
Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it
Looks like you can use the following?
In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.
Edit:
So in the Server config add the following
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
1
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
1
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
1
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
add a comment |
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
New contributor
add a comment |
up vote
1
down vote
accepted
This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
New contributor
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
New contributor
This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:
add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
New contributor
New contributor
answered 2 days ago
Frank
261
261
New contributor
New contributor
add a comment |
add a comment |
up vote
4
down vote
There's an option no-port-forwarding
that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen
.
12
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
2
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
add a comment |
up vote
4
down vote
There's an option no-port-forwarding
that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen
.
12
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
2
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
add a comment |
up vote
4
down vote
up vote
4
down vote
There's an option no-port-forwarding
that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen
.
There's an option no-port-forwarding
that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen
.
answered Dec 28 '12 at 14:33
utopiabound
2,6311418
2,6311418
12
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
2
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
add a comment |
12
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
2
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
12
12
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
– gertvdijk
Dec 28 '12 at 14:35
2
2
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
Yes, I need to allow some ports forwarding
– Lluís
Dec 28 '12 at 16:59
add a comment |
up vote
0
down vote
It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.
When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.
With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes
:
How to cleanup SSH reverse tunnel socket after connection closed?
add a comment |
up vote
0
down vote
It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.
When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.
With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes
:
How to cleanup SSH reverse tunnel socket after connection closed?
add a comment |
up vote
0
down vote
up vote
0
down vote
It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.
When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.
With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes
:
How to cleanup SSH reverse tunnel socket after connection closed?
It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.
When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.
With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes
:
How to cleanup SSH reverse tunnel socket after connection closed?
answered Mar 27 at 7:12
Timo
1739
1739
add a comment |
add a comment |
up vote
-1
down vote
Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it
Looks like you can use the following?
In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.
Edit:
So in the Server config add the following
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
1
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
1
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
1
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
add a comment |
up vote
-1
down vote
Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it
Looks like you can use the following?
In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.
Edit:
So in the Server config add the following
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
1
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
1
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
1
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
add a comment |
up vote
-1
down vote
up vote
-1
down vote
Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it
Looks like you can use the following?
In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.
Edit:
So in the Server config add the following
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it
Looks like you can use the following?
In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.
Edit:
So in the Server config add the following
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
edited Mar 20 '17 at 10:04
Community♦
1
1
answered Dec 22 '16 at 20:48
PHoBwz
91
91
1
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
1
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
1
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
add a comment |
1
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
1
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
1
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
1
1
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
Only on U&L can be marked as duplicate.
– GAD3R
Dec 22 '16 at 21:27
1
1
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
As stated in the question, that's for -L and it's already known as a non solution
– alex88
Dec 23 '16 at 11:54
1
1
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
Will there ever be a solution to this (beside iptables)?
– davesave
Feb 1 '17 at 9:36
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f59683%2fhow-can-i-limit-ssh-remote-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50
I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12