On 2014-06-17, James Berry <james@xxxxxxxxxxxxxx> wrote: > I have a number of connections coming in to my host to create a reverse tunnel > > from machine 1: ssh -R:19991:192.168.250.251:80 user1@xxxxxxxx -N -f > from machine 2: ssh -R:19992:192.168.250.251:80 user2@xxxxxxxx -N -f > from machine 3: ssh -R:19993:192.168.250.251:80 user3@xxxxxxxx -N -f > > > You can see that each user has a specific port that they should use. > > I would either like to dynamically set the correct port on my host (I > know what they should be), or if I cannot I would like to restrict the > connections so that the users can only open the tunnel on the ports > that I have specified. > > I have not found anything in the configuration settings to restrict > the ports that can be selected by an inbound connection. When a > dynamic port (0) is used, this appears to just pick the next available > port. > > I have experimentally patched serverloop.c to ignore the user > specified port and used one based on the uid but wonder: > a) Is there a good way to achieve this without patching openssh Restricting port numbers could be done with a firewall that permits uid specifications. PF can do this, though I'm not quite sure if doing this from a firewall counts as a "good way" and, given the controls already available on local forwarding, it does seem like something that it would be reasonable to implement internally in ssh. > b) If the best way is to continue with the patch perhaps we can > discuss options for what the patch should look like as I would prefer > to submit to the project rather than maintain my own branch. I would > suggest either calling out to an external program that returns the > port (this may be considered to be a security problem), or some other > mapping from users to the port (range?) they can choose For restrictions, it feels to me like this should probably be handled in a similar way to permitopen as done for local forwarding - i.e. config parameter (which can be used in a Match block per-user) and authorized_keys option (which can call out to an external program via AuthorizedKeysCommand if wanted). Then for the other part of what you're looking for, dynamic port allocation on the server just needs to take account of the port restrictions - in that case, the client could set port 0, server picks an allowed port and uses it, and the client doesn't have to worry about choosing it itself. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev