How can I limit ssh *remote* port forwarding?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
21
down vote

favorite
4












I need to limit which ports can be remotely 'ssh -R' forwarded by an user.



I know about permitopen option on authorized_keys, but as it says on man page it only limits local 'ssh -L' port forwarding



As discussed here a user would get the same with netcat or similar, but in this case user has no shell access



I also found this thread that talks about using selinux or LD_PRELOAD, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD.



maybe someone have made a patch for openssh to implement that?



EDIT:
I've found this bug report so I guess it's not yet implemented










share|improve this question























  • Have you found a solution for this?
    – alex88
    Dec 20 '16 at 10:50










  • I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
    – Lluís
    Dec 20 '16 at 12:12














up vote
21
down vote

favorite
4












I need to limit which ports can be remotely 'ssh -R' forwarded by an user.



I know about permitopen option on authorized_keys, but as it says on man page it only limits local 'ssh -L' port forwarding



As discussed here a user would get the same with netcat or similar, but in this case user has no shell access



I also found this thread that talks about using selinux or LD_PRELOAD, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD.



maybe someone have made a patch for openssh to implement that?



EDIT:
I've found this bug report so I guess it's not yet implemented










share|improve this question























  • Have you found a solution for this?
    – alex88
    Dec 20 '16 at 10:50










  • I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
    – Lluís
    Dec 20 '16 at 12:12












up vote
21
down vote

favorite
4









up vote
21
down vote

favorite
4






4





I need to limit which ports can be remotely 'ssh -R' forwarded by an user.



I know about permitopen option on authorized_keys, but as it says on man page it only limits local 'ssh -L' port forwarding



As discussed here a user would get the same with netcat or similar, but in this case user has no shell access



I also found this thread that talks about using selinux or LD_PRELOAD, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD.



maybe someone have made a patch for openssh to implement that?



EDIT:
I've found this bug report so I guess it's not yet implemented










share|improve this question















I need to limit which ports can be remotely 'ssh -R' forwarded by an user.



I know about permitopen option on authorized_keys, but as it says on man page it only limits local 'ssh -L' port forwarding



As discussed here a user would get the same with netcat or similar, but in this case user has no shell access



I also found this thread that talks about using selinux or LD_PRELOAD, but I never configured selinux before and can't find info on how to do that with LD_PRELOAD.



maybe someone have made a patch for openssh to implement that?



EDIT:
I've found this bug report so I guess it's not yet implemented







ssh security port-forwarding






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 22 '16 at 19:57









umläute

4,5381433




4,5381433










asked Dec 28 '12 at 13:42









Lluís

500512




500512











  • Have you found a solution for this?
    – alex88
    Dec 20 '16 at 10:50










  • I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
    – Lluís
    Dec 20 '16 at 12:12
















  • Have you found a solution for this?
    – alex88
    Dec 20 '16 at 10:50










  • I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
    – Lluís
    Dec 20 '16 at 12:12















Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50




Have you found a solution for this?
– alex88
Dec 20 '16 at 10:50












I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12




I didn't, I guess it can't be done until the above bug is closed or someone writes a patch to implement this
– Lluís
Dec 20 '16 at 12:12










4 Answers
4






active

oldest

votes

















up vote
1
down vote



accepted










This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:




add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).







share|improve this answer








New contributor




Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    4
    down vote













    There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.






    share|improve this answer
















    • 12




      Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
      – gertvdijk
      Dec 28 '12 at 14:35






    • 2




      Yes, I need to allow some ports forwarding
      – Lluís
      Dec 28 '12 at 16:59

















    up vote
    0
    down vote













    It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.



    When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.



    With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes:



    How to cleanup SSH reverse tunnel socket after connection closed?






    share|improve this answer



























      up vote
      -1
      down vote













      Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it



      Looks like you can use the following?




      In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.




      Edit:
      So in the Server config add the following




      PermitOpen host:port



      PermitOpen IPv4_addr:port



      PermitOpen [IPv6_addr]:port







      share|improve this answer


















      • 1




        Only on U&L can be marked as duplicate.
        – GAD3R
        Dec 22 '16 at 21:27






      • 1




        As stated in the question, that's for -L and it's already known as a non solution
        – alex88
        Dec 23 '16 at 11:54






      • 1




        Will there ever be a solution to this (beside iptables)?
        – davesave
        Feb 1 '17 at 9:36










      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f59683%2fhow-can-i-limit-ssh-remote-port-forwarding%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      1
      down vote



      accepted










      This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:




      add a PermitListen directive to sshd_config(5) and a
      corresponding permitlisten= authorized_keys option that control
      which listen addresses and port numbers may be used by remote
      forwarding (ssh -R ...).







      share|improve this answer








      New contributor




      Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





















        up vote
        1
        down vote



        accepted










        This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:




        add a PermitListen directive to sshd_config(5) and a
        corresponding permitlisten= authorized_keys option that control
        which listen addresses and port numbers may be used by remote
        forwarding (ssh -R ...).







        share|improve this answer








        New contributor




        Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.



















          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:




          add a PermitListen directive to sshd_config(5) and a
          corresponding permitlisten= authorized_keys option that control
          which listen addresses and port numbers may be used by remote
          forwarding (ssh -R ...).







          share|improve this answer








          New contributor




          Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          This has been implemented in OpenSSH 7.8p1, which was released 2018-08-24. Quote from the release notes:




          add a PermitListen directive to sshd_config(5) and a
          corresponding permitlisten= authorized_keys option that control
          which listen addresses and port numbers may be used by remote
          forwarding (ssh -R ...).








          share|improve this answer








          New contributor




          Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          share|improve this answer



          share|improve this answer






          New contributor




          Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          answered Nov 20 at 14:06









          Frank

          261




          261




          New contributor




          Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          New contributor





          Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.






          Frank is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.






















              up vote
              4
              down vote













              There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.






              share|improve this answer
















              • 12




                Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
                – gertvdijk
                Dec 28 '12 at 14:35






              • 2




                Yes, I need to allow some ports forwarding
                – Lluís
                Dec 28 '12 at 16:59














              up vote
              4
              down vote













              There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.






              share|improve this answer
















              • 12




                Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
                – gertvdijk
                Dec 28 '12 at 14:35






              • 2




                Yes, I need to allow some ports forwarding
                – Lluís
                Dec 28 '12 at 16:59












              up vote
              4
              down vote










              up vote
              4
              down vote









              There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.






              share|improve this answer












              There's an option no-port-forwarding that you can use, that prevents all port forwarding. Present at least as of OpenSSH 4.3p2 (CentOS 5.3 - oldest machine I have access to). Put it in the same place that you would have put permitopen.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Dec 28 '12 at 14:33









              utopiabound

              2,6311418




              2,6311418







              • 12




                Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
                – gertvdijk
                Dec 28 '12 at 14:35






              • 2




                Yes, I need to allow some ports forwarding
                – Lluís
                Dec 28 '12 at 16:59












              • 12




                Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
                – gertvdijk
                Dec 28 '12 at 14:35






              • 2




                Yes, I need to allow some ports forwarding
                – Lluís
                Dec 28 '12 at 16:59







              12




              12




              Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
              – gertvdijk
              Dec 28 '12 at 14:35




              Completely disabling port forwarding seems overkill and not fit for the question. I assume OP wants to limit it, yet allowing some specific remote port forwardings.
              – gertvdijk
              Dec 28 '12 at 14:35




              2




              2




              Yes, I need to allow some ports forwarding
              – Lluís
              Dec 28 '12 at 16:59




              Yes, I need to allow some ports forwarding
              – Lluís
              Dec 28 '12 at 16:59










              up vote
              0
              down vote













              It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.



              When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.



              With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes:



              How to cleanup SSH reverse tunnel socket after connection closed?






              share|improve this answer
























                up vote
                0
                down vote













                It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.



                When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.



                With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes:



                How to cleanup SSH reverse tunnel socket after connection closed?






                share|improve this answer






















                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.



                  When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.



                  With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes:



                  How to cleanup SSH reverse tunnel socket after connection closed?






                  share|improve this answer












                  It isn't possible to limit that using ssh. Maybe selinux or iptables could be used to that end. However, there is an alternative strategy which may or may not suit your needs. Use binding to UNIX sockets. This should be available starting from openssh version 6.8.



                  When using sockets you have the filesystem ACL (though wether sockets respect that may be *nix dependant) at your disposal and you can use it to prevent one user from binding to another ones sockets. However, it doesn't prevent binding to ports in any way, so depending on your use case it may not help, but maybe ports don't matter if you can consistently only use sockets.



                  With UNIX sockets handling dangling socket files may be problematic as reverse publishers try to reconnect. I have another question (and answer) to that problem. In short you probably also want to use StreamLocalBindUnlink yes:



                  How to cleanup SSH reverse tunnel socket after connection closed?







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Mar 27 at 7:12









                  Timo

                  1739




                  1739




















                      up vote
                      -1
                      down vote













                      Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it



                      Looks like you can use the following?




                      In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.




                      Edit:
                      So in the Server config add the following




                      PermitOpen host:port



                      PermitOpen IPv4_addr:port



                      PermitOpen [IPv6_addr]:port







                      share|improve this answer


















                      • 1




                        Only on U&L can be marked as duplicate.
                        – GAD3R
                        Dec 22 '16 at 21:27






                      • 1




                        As stated in the question, that's for -L and it's already known as a non solution
                        – alex88
                        Dec 23 '16 at 11:54






                      • 1




                        Will there ever be a solution to this (beside iptables)?
                        – davesave
                        Feb 1 '17 at 9:36














                      up vote
                      -1
                      down vote













                      Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it



                      Looks like you can use the following?




                      In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.




                      Edit:
                      So in the Server config add the following




                      PermitOpen host:port



                      PermitOpen IPv4_addr:port



                      PermitOpen [IPv6_addr]:port







                      share|improve this answer


















                      • 1




                        Only on U&L can be marked as duplicate.
                        – GAD3R
                        Dec 22 '16 at 21:27






                      • 1




                        As stated in the question, that's for -L and it's already known as a non solution
                        – alex88
                        Dec 23 '16 at 11:54






                      • 1




                        Will there ever be a solution to this (beside iptables)?
                        – davesave
                        Feb 1 '17 at 9:36












                      up vote
                      -1
                      down vote










                      up vote
                      -1
                      down vote









                      Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it



                      Looks like you can use the following?




                      In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.




                      Edit:
                      So in the Server config add the following




                      PermitOpen host:port



                      PermitOpen IPv4_addr:port



                      PermitOpen [IPv6_addr]:port







                      share|improve this answer














                      Duplicate: https://superuser.com/questions/516417/how-to-restrict-ssh-port-forwarding-without-denying-it



                      Looks like you can use the following?




                      In the server configuration file there is a PermitOpen option. This option can be used to specify hosts and ports for which forwards can be established. This option can be used inside a Match block, so it can be restricted by user, group, or hostname or IP address pattern.




                      Edit:
                      So in the Server config add the following




                      PermitOpen host:port



                      PermitOpen IPv4_addr:port



                      PermitOpen [IPv6_addr]:port








                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Mar 20 '17 at 10:04









                      Community

                      1




                      1










                      answered Dec 22 '16 at 20:48









                      PHoBwz

                      91




                      91







                      • 1




                        Only on U&L can be marked as duplicate.
                        – GAD3R
                        Dec 22 '16 at 21:27






                      • 1




                        As stated in the question, that's for -L and it's already known as a non solution
                        – alex88
                        Dec 23 '16 at 11:54






                      • 1




                        Will there ever be a solution to this (beside iptables)?
                        – davesave
                        Feb 1 '17 at 9:36












                      • 1




                        Only on U&L can be marked as duplicate.
                        – GAD3R
                        Dec 22 '16 at 21:27






                      • 1




                        As stated in the question, that's for -L and it's already known as a non solution
                        – alex88
                        Dec 23 '16 at 11:54






                      • 1




                        Will there ever be a solution to this (beside iptables)?
                        – davesave
                        Feb 1 '17 at 9:36







                      1




                      1




                      Only on U&L can be marked as duplicate.
                      – GAD3R
                      Dec 22 '16 at 21:27




                      Only on U&L can be marked as duplicate.
                      – GAD3R
                      Dec 22 '16 at 21:27




                      1




                      1




                      As stated in the question, that's for -L and it's already known as a non solution
                      – alex88
                      Dec 23 '16 at 11:54




                      As stated in the question, that's for -L and it's already known as a non solution
                      – alex88
                      Dec 23 '16 at 11:54




                      1




                      1




                      Will there ever be a solution to this (beside iptables)?
                      – davesave
                      Feb 1 '17 at 9:36




                      Will there ever be a solution to this (beside iptables)?
                      – davesave
                      Feb 1 '17 at 9:36

















                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f59683%2fhow-can-i-limit-ssh-remote-port-forwarding%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown






                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?