Reverse tunnel security settings

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I have a number of connections coming in to my host to create a reverse tunnel

from machine 1: ssh -R:19991:192.168.250.251:80 user1@xxxxxxxx -N -f
from machine 2: ssh -R:19992:192.168.250.251:80 user2@xxxxxxxx -N -f
from machine 3: ssh -R:19993:192.168.250.251:80 user3@xxxxxxxx -N -f


You can see that each user has a specific port that they should use.

I would either like to dynamically set the correct port on my host (I
know what they should be), or if I cannot I would like to restrict the
connections so that the users can only open the tunnel on the ports
that I have specified.

I have not found anything in the configuration settings to restrict
the ports that can be selected by an inbound connection.  When a
dynamic port (0) is used, this appears to just pick the next available
port.

I have experimentally patched serverloop.c to ignore the user
specified port and used one based on the uid but wonder:
a) Is there a good way to achieve this without patching openssh
b) If the best way is to continue with the patch perhaps we can
discuss options for what the patch should look like as I would prefer
to submit to the project rather than maintain my own branch.  I would
suggest either calling out to an external program that returns the
port (this may be considered to be a security problem), or some other
mapping from users to the port (range?) they can choose
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux