Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Mar 2001 12:13:49 -0700 (MST)
From:      Nate Williams <nate@yogotech.com>
To:        naddy@mips.inka.de (Christian Weisgerber)
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ssh tricks
Message-ID:  <15006.40813.304297.252608@nomad.yogotech.com>
In-Reply-To: <97m0uf$2gj$1@kemoauc.mips.inka.de>
References:  <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> <20010301004422.B14501@mollari.cthul.hu> <97m0uf$2gj$1@kemoauc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help 

> > > Yep.  Note, the commercial version SSH1 had the ability to turn on/off
> > > port forwarding on a per-user and/or a per-port options.
> > 
> > I can't even find mention of this in the ssh.com version
> 
> Because Nate's wrong.  Ylönen-SSH1 only has a global AllowTcpForwarding
> switch, as has OpenSSH.

Believe what you want.  I've got sources that prove your wrong.  The JDK
CVS repository was using this feature for 18 months (until I quit my
former job) to only allow people to port forward CVS-Pserver requests,
but disallow all other forwarding requests.

FWIW, we used 'f-secure-ssh-1.3.2'

.nr CO 1
.ie \n(CO .TH SSHD 8 "November 8, 1995" "F-SECURE SSH" "F-SECURE SSH"
.el  .TH SSHD 8 "November 8, 1995" "SSH" "SSH"
[ SNIP ]
.B AllowForwardingPort
This keyword can be followed by any number of port numbers, separated
[ SNIP ]
.TP
.B AllowForwardingTo
This keyword can be followed by any number of hostname and port number
[ SNIP ]
.B DenyForwardingPort
This keyword can be followed by any number of port numbers, separated
[ SNIP ]
.B DenyForwardingTo
This keyword can be followed by any number of hostname and port number

You *obviously* don't know what you're talking about.  Be careful about
what you say on public mailing lists...

> It's Ylönen-SSH2 that offers the more
> fine-grained {Allow,Deny}TcpForwardingFor{Users,Groups} option set.

Unfortunately, the SSH2 product did *NOT* allow fine grained options to
be set in the version we bought, 'f-secure-ssh-2.0.12.1'.

> I don't see a way to control forwarding per port.

Well, since you claim to be an expert, I'll let you find it yourself.

> I guess it wouldn't be very hard to add these options to OpenSSH,
> as you should be able to reuse the existing {Allow,Deny}{Users,Groups}
> and AllowTcpForwarding code.


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15006.40813.304297.252608>