Florz
/
ssh-port-forwarding
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

first part of permit options

This commit is contained in:
Florz 2021-02-18 23:38:34 +01:00
parent 915e3d166d
commit 1edf4b527c
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -46,8 +46,16 @@ This is all done in `/home/ssh-port-forwarding/.ssh/authorized_keys`.
First use the `ssh-keygen` command to create a private and public key pair on the client side. Don't type any password! Then use `cat ~/.ssh/id_rsa.pub` to display the content of your newly created public key. After that add a new line in the `authorized_keys` file on the server. Use the following line as an example. Your key starts at `AAAA...` and this all needs to be in a single line per key.
`restrict,command="",port-forwarding,permitlisten="localhost:22",permitopen="localhost:22" ssh-rsa AAAA...`
`restrict`: this restricts all current and future forwarding options
`command=""`: don't allow client to send a command, set an empty forced command instead
`port-forwarding`: allow port forwarding
`permitlisten="localhost:22"`: restrict client to create (via `ssh -R`) port 22 on the server only, which will fail (default for security reasons)
`permitopen="localhost:22"`: restrict client to access (via `ssh -L`) ssh port on server only (default for security reasons)
* `restrict`: this disables all current and future forwarding options (we will whitelist what we need)
* `command=""`: don't allow client to send a command, set an empty forced command instead
* `port-forwarding`: allow port forwarding
* `permitlisten="localhost:22"`: restrict client to create (via `ssh -R`) port 22 on the server only, which will fail (default for security reasons)
* `permitopen="localhost:22"`: restrict client to access (via `ssh -L`) ssh port on server only (default for security reasons)
The `permitopen` and `permitlisten` options can be used multiple times in a row. The syntax is as follows:
* `permitlisten="[host:]port`
* `port` is the port on the server that you want to open locally or towards the Internet
* `host` specifies on which interface the server should listen for incoming connections. You should either specify `localhost` or `*`
* `localhost` binds the port to the loopback device and can only be used by processes on the same server
* `*` allows access on all ports (e.g. from the Internet) if `GatewayPorts clientspecified` is set in `/etc/ssh/sshd_config`
* `permitopen="host:port"`