[scponly] scponly users can still use port forwarding
Benjamin Donnachie
benjamin at py-soft.co.uk
Wed May 10 04:42:40 EDT 2006
Steven Mocking wrote:
> Hence my question: is there a way to restrict ssh port forwarding to a
> specific group of users? Or is running multiple ssh servers the only
> solution?
Take a look at the sshd match patch:
http://bugzilla.mindrot.org/show_bug.cgi?id=1180
"Add "Match" keyword to sshd_config
This patch (against 4.3p2) extends sshd_config to support syntax such
as:
AllowTcpForwarding no
Match Address 192.168.32.*,127.0.0.1
AllowTcpForwarding yes
GatewayPorts no
Match User bar,baz
AllowTcpForwarding yes
Match Host t*
AllowTcpForwarding yes
The criteria currently supported by Match are "User [user
pattern-list]", "Group [group pattern]", "Address [address
pattern-list]" and "Host [host pattern-list]". Multiple criteria may
be specified on a single Match line, if so all criteria must match
before the Match block takes effect (ie it is a logical AND).
The directives supported inside a "Match" block are:
AcceptEnv, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysFile2,
Banner, ChallengeResponseAuthentication,
ChallengeResponseAuthentication, ClientAliveCountMax,
ClientAliveInterval, GatewayPorts, GssAuthentication, GssCleanupCreds,
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts,
IgnoreUserKnownHosts, KbdInteractiveAuthentication,
KerberosAuthentication, KerberosGetAFSToken, KerberosOrLocalPasswd,
KerberosTicketCleanup, LogFacility, LogLevel, LoginGraceTime,
MaxAuthTries, PasswordAuthentication, PermitEmptyPasswd,
PermitRootLogin, PermitTunnel, PermitUserEnvironment, PrintLastLog,
PrintMotd, PubkeyAuthentication, PubkeyAuthentication,
RSAAuthentication, RhostsRSAAuthentication, StrictModes, UseLogin,
UsePAM, X11DisplayOffset, X11Forwarding, X11UseLocalhost,
XAuthLocation. Only a (small) subset of these have been tested."
Ben
More information about the scponly
mailing list