I have a number of connections coming in to my host to create a reverse tunnel from machine 1: ssh -R:19991:192.168.250.251:80 user1@xxxxxxxx -N -f from machine 2: ssh -R:19992:192.168.250.251:80 user2@xxxxxxxx -N -f from machine 3: ssh -R:19993:192.168.250.251:80 user3@xxxxxxxx -N -f You can see that each user has a specific port that they should use. I would either like to dynamically set the correct port on my host (I know what they should be), or if I cannot I would like to restrict the connections so that the users can only open the tunnel on the ports that I have specified. I have not found anything in the configuration settings to restrict the ports that can be selected by an inbound connection. When a dynamic port (0) is used, this appears to just pick the next available port. I have experimentally patched serverloop.c to ignore the user specified port and used one based on the uid but wonder: a) Is there a good way to achieve this without patching openssh b) If the best way is to continue with the patch perhaps we can discuss options for what the patch should look like as I would prefer to submit to the project rather than maintain my own branch. I would suggest either calling out to an external program that returns the port (this may be considered to be a security problem), or some other mapping from users to the port (range?) they can choose _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
