Discussion:
SSH port forwarding controls
(too old to reply)
Jeremy Begg
2008-11-14 00:37:05 UTC
Permalink
Hi,

The following SSH command allows me to set up port forwarding so that I can
use other machines on my network to access the remote machine via the SSH
tunnel:

$ ssh -g -L2301:remote.node.domain:23 remote.node.domain

The problem with this is that it allows *any* other machine to use that SSH
tunnel, if it can contact the SSH client machine. This is OK on my local
network but not OK if the SSH client machine is exposed to the Internet.

Is there an SSH configuration option, either in the client or the server,
which I can use to specify which "other" hosts can use the SSH tunnel? The
ForwardACL looks like it might be what I want, but I'm having trouble
following the Multinet documentation for it.

Thanks,

Jeremy Begg

+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: ***@vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+
Richard Whalen
2008-11-17 17:05:55 UTC
Permalink
I modified the SSHD2 code to give me some additional debugging, then
experimented with various fowardacl's in order to figure out what that
worked. I came up with the following:

Forwardacl allow local username name\.of\.this\.host
ip\.of\.remote\.host

Username is the username that someone logs into on the SSH target system
Name.of.this.host is the ssh target system
Ip.of.remote.host is the system to allow.



-----Original Message-----
From: Jeremy Begg [mailto:***@vsm.com.au]
Sent: Thursday, November 13, 2008 7:37 PM
To: info-***@process.com
Subject: SSH port forwarding controls

Hi,

The following SSH command allows me to set up port forwarding so that I
can
use other machines on my network to access the remote machine via the
SSH
tunnel:

$ ssh -g -L2301:remote.node.domain:23 remote.node.domain

The problem with this is that it allows *any* other machine to use that
SSH
tunnel, if it can contact the SSH client machine. This is OK on my
local
network but not OK if the SSH client machine is exposed to the Internet.

Is there an SSH configuration option, either in the client or the
server,
which I can use to specify which "other" hosts can use the SSH tunnel?
The
ForwardACL looks like it might be what I want, but I'm having trouble
following the Multinet documentation for it.

Thanks,

Jeremy Begg

+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: ***@vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+

Loading...