On Mon, 2018-04-09 at 13:31 +0200, Jan Bergner wrote: > However, since there does not seem to be any reasonable alternative > short than doing way more elaborated software development ourselves, > these will have to do. > Therefore, I consider this matter closed. > > Thanks again to everybody who helped. This really depends on the way how much the clients have to try to workaround this obstacle you are going to throw under their feet. There is a configuration option "ClearAllForwardings", which does basically the same thing, but needs to be specified on command line after all the other forwarding options to my understanding. The "allowed" ssh can be wrapped in some script that makes sure this option is passed, but as already said by others, there are other ways how to get data out so using a bastion/jumpbox for external connections might be the right way. Note, that PermitTunnel is something completely different and it will not help you in this case, because it is used for L2 and L3 tunneling using Tunnel configuration options (not the -R ones). -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev