first part of permit options
This commit is contained in:
parent
915e3d166d
commit
1edf4b527c
18
README.md
18
README.md
|
@ -46,8 +46,16 @@ This is all done in `/home/ssh-port-forwarding/.ssh/authorized_keys`.
|
|||
First use the `ssh-keygen` command to create a private and public key pair on the client side. Don't type any password! Then use `cat ~/.ssh/id_rsa.pub` to display the content of your newly created public key. After that add a new line in the `authorized_keys` file on the server. Use the following line as an example. Your key starts at `AAAA...` and this all needs to be in a single line per key.
|
||||
`restrict,command="",port-forwarding,permitlisten="localhost:22",permitopen="localhost:22" ssh-rsa AAAA...`
|
||||
|
||||
`restrict`: this restricts all current and future forwarding options
|
||||
`command=""`: don't allow client to send a command, set an empty forced command instead
|
||||
`port-forwarding`: allow port forwarding
|
||||
`permitlisten="localhost:22"`: restrict client to create (via `ssh -R`) port 22 on the server only, which will fail (default for security reasons)
|
||||
`permitopen="localhost:22"`: restrict client to access (via `ssh -L`) ssh port on server only (default for security reasons)
|
||||
* `restrict`: this disables all current and future forwarding options (we will whitelist what we need)
|
||||
* `command=""`: don't allow client to send a command, set an empty forced command instead
|
||||
* `port-forwarding`: allow port forwarding
|
||||
* `permitlisten="localhost:22"`: restrict client to create (via `ssh -R`) port 22 on the server only, which will fail (default for security reasons)
|
||||
* `permitopen="localhost:22"`: restrict client to access (via `ssh -L`) ssh port on server only (default for security reasons)
|
||||
|
||||
The `permitopen` and `permitlisten` options can be used multiple times in a row. The syntax is as follows:
|
||||
* `permitlisten="[host:]port`
|
||||
* `port` is the port on the server that you want to open locally or towards the Internet
|
||||
* `host` specifies on which interface the server should listen for incoming connections. You should either specify `localhost` or `*`
|
||||
* `localhost` binds the port to the loopback device and can only be used by processes on the same server
|
||||
* `*` allows access on all ports (e.g. from the Internet) if `GatewayPorts clientspecified` is set in `/etc/ssh/sshd_config`
|
||||
* `permitopen="host:port"`
|
Loading…
Reference in New Issue