I have a server running Ubuntu and the OpenSSH daemon. Let's call it S1.
I use this server from client machines (let's call one of them C1) to do an SSH reverse tunnel by using remote port forwarding, eg :
ssh -R 1234:localhost:23 login@S1
On S1, I use the default sshd_config file. From what I can see, anyone having the right credentials {login,pwd} on S1 can log into S1 and either do remote port forwarding and local port forwarding. Such credentials could be a certificate in the future, so in my understanding anyone grabbing the certificate can log into S1 from anywhere else (not necessarily C1) and hence create local port forwardings.
To me, allowing local port forwarding is too dangerous, since it allows to create some kind of public proxy. I'm looking for a way tto disable only -L forwardings.
I tried the following, but this disables both local and remote forwarding :
AllowTcpForwarding No
I also tried the following, this will only allow -L to SX:1. It's better than nothing, but still not what I need, which is a "none" option.
PermitOpen SX:1
So I'm wondering if there is a way, so that I can forbid all local port forwards to write something like :
PermitOpen none:none
Is the following a nice idea ?
PermitOpen localhost:1
Best Answer
anyone with login credentials can bring up their own instance of sshd, running on a random port and allow whatever they want, including -L local forwardings:
if you do not trust the users to do something with your machine then you shouldnt allow them to login in the first place.
(btw, the -D flag is kind of "proxy-problematic" as well)