From d7cd5dc5a2b8ffc9dad53b31d5fa85184872144c Mon Sep 17 00:00:00 2001
From: Florz <florz@florz.net>
Date: Thu, 18 Feb 2021 21:27:00 +0100
Subject: [PATCH] add sshd_config lines

---
 README.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bd10ff2..f35d1c7 100644
--- a/README.md
+++ b/README.md
@@ -8,4 +8,16 @@ Luckily opennsh made autossh redundant because it already offers built-in monito
 ## Disclaimer
 
 When you follow this guide, you can make otherwise protected services accessible to the public Internet (when using `ssh -R`). This might be an attack vector into your protected network.  
-When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).
\ No newline at end of file
+When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).
+
+## Server configuration
+
+### `/etc/ssh/sshd_config`
+
+Add or change the following lines:
+```
+GatewayPorts clientspecified
+ClientAliveInterval 5
+ClientAliveCountMax 3
+```
+This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
\ No newline at end of file