allowing LocalForward but restricting RemoteForward

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I can restrict certain SSH users/keys from doing shell commands by putting
something like:


on the line with their public key in the authorized_keys file, allowing
them to do only that one command, or to use the -N option to do no command.
That way they can do -L and -R to set up secure TCP paths.

For some users, I'd like to further limit this so they can only do -L and
not do -R at all.  I could use:


on the key line in the authorized_keys file, but that would turn off BOTH
-L and -R.  But I want to leave -L on.

Perhaps permitopen="host:port" might work for SOME of these users, since
a subset only needs to connect to one specific host:port.  But some others
might need to do more than that.  I may even want to let them do -D.
I just don't want them to do -R at all.

Any ideas?  Something I overlooked?

| Phil Howard KA9WGN (  /  Do not send to the address below |
| first name lower case at   / |

Site Timeline