Ssh – Can sshd restrict client tunnel endpoints to localhost

port-forwardingsshssh-tunnelingsshd

Normally an ssh client can request TCP forwarding using the -L command line option. The server can disable this completely using AllowTcpForwarding no. If enabled, the client can request to connect the endpoint to a remote machine other than the sshd server using host in -L port:host:hostport. Is there a way to configure sshd to limit the destination forwarding address to localhost (ie. the sshd server machine itself)?

Best Answer

A secure default for an OpenSSH installation will have GatewayPorts set to no. This is precisely that restriction.

edit

See the PermitOpen directive:

Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:

              PermitOpen host:port
              PermitOpen IPv4_addr:port
              PermitOpen [IPv6_addr]:port

Multiple forwards may be specified by separating them with whitespace. An argument of “any” can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.

Related Question