Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

openssh remote port forwarding and permitopen

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


alex at alex

Sep 30, 2011, 8:22 AM

Post #1 of 1 (287 views)
Permalink
openssh remote port forwarding and permitopen

I have an application where a lot of end user CPE devices ssh in
automatically to a central server, and are authenticated
by public key, to do remote (-R) port forwarding, so we can open
a connection back to a particular port on the remote device whether
it's behind some NAT or firewall or whatever. I want to be certain,
however, that if I open port 12345, it is connected to the correct
end user CPE (i.e. the one that presented the correct key).

Therefore I'd like an forceremoteport option in authorized_keys
so whatever remote port is specified by the client (perhaps
the client just specifies 0), it uses a particular allocated port
and no other. I don't particularly want to do the equivalent of
permitopen, as I'd have to have each client keep up with the
port allocations on the server, which is unnecessary and a pain.
In my scheme the client can do
ssh -N -R 80:127.0.0.1:0 host.example.com
with forceremoteport=12345, which would mean that
telnet 127.0.0.1 12345
on host.example.com would connect to the CPE"s port 80.

Would you take a patch for this? It would have the advantage
that forceremoteport=0 would effectively disable -R forwarding.

Supplemental question: I'd like to disabled -L port forwarding as
well (whilst leaving -R allowed subject to the above). I can't
immediately see any way to do this except for using permitopen
and a port that has nothing bound to it. Am I missing something?

--
Alex Bligh
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.