From owner-freebsd-security Tue Jan 25 3: 8:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 30A9E14F74 for ; Tue, 25 Jan 2000 03:08:16 -0800 (PST) (envelope-from sen_ml@eccosys.com) Received: (qmail 29795 invoked from network); 25 Jan 2000 11:06:49 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 25 Jan 2000 11:06:49 -0000 To: security@freebsd.org Subject: restricting which ports a user can forward in ssh (was Re: sshd and pop/ftponly users incorrect configuration) From: sen_ml@eccosys.com In-Reply-To: References: X-Mailer: Mew version 1.94.1 on Emacs 20.5 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000125200850Q.1000@eccosys.com> Date: Tue, 25 Jan 2000 20:08:50 +0900 X-Dispatcher: imput version 990905(IM130) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org this may not be directly related, but since the topic is similar... i have suggested in the past on the ssh and openssh-unix-dev mailing lists whether it might be useful to be able to restrict which ports a given user can forward. it is clear that for this to be useful, you would need to prevent shell access by users. if the functionality did exist, to set this up you'd set up authorized_key files for each user (or create a dummy account w/ an authorized_key file) and put an appropriate command="..." option in for each key. i have not found this functionality in any of the ssh daemons -- is there a patch out there to do this? not having ever received a response about this idea, i begin to wonder whether it is completely useless ;-) it seems like it would not be all that hard to implement... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message