Normally an ssh client can request TCP forwarding using the -L
command line option. The server can disable this completely using AllowTcpForwarding no
. If enabled, the client can request to connect the endpoint to a remote machine other than the sshd server using host in -L port:host:hostport
. Is there a way to configure sshd to limit the destination forwarding address to localhost
(ie. the sshd server machine itself)?
Ssh – Can sshd restrict client tunnel endpoints to localhost
port-forwardingsshssh-tunnelingsshd
Best Answer
A secure default for an OpenSSH installation will have GatewayPorts set to no. This is precisely that restriction.
edit
See the PermitOpen directive: