for the A nat B C connect back to A using -R 2222:localhost:22 pattern, (see diagram at https://github.com/daradib/sidedoor) I want to limit B's user to just what is needed to do the port forward. I am hoping this is documented, but I can't find much more than "you should future out how to secre it." I setup an ansible playbook to instal and configure sidedoor on A. I have written some docs on securing B which is mostly: 1. append to /etc/ssh/sshd_config (user is from sidedoor.yml) Match User {user} MaxSessions 60 PasswordAuthentication no ChrootDirectory %h X11Forwarding no AllowTcpForwarding yes PermitTunnel no PermitTTY no Banner none ForceCommand /bin/false https://salsa.debian.org/debconf-video-team/ansible/merge_requests/184 Those options are from me reading the docs and collecting tips i found on internet. A friend pointed out "be aware sftp is likely enabled." Once I have something solid, hopefully someone can find a place for it to live and projects like mine and sidedoor can reference it. -- Carl K _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
