Deny remote hosts to connect to local forwarded ports

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a linux server with ssh server behind a firewall and recently
noticed users establish ssh tunnels to remote machines and enable the
"-g  Allows remote hosts to connect to local forwarded ports." option,
which is not convenient at the moment.
I could deny this on the firewall, but once the connections are
started from the inside i would have to deny all outgoing ssh
connections... (I think)
I am trying to disable this feature in the config files for sshd and
ssh, so I looked at the ssh_config and sshd_config man pages and found
the following directives:
AllowTcpForwarding and GatewayPorts

I tried setting both to "no" and restarting sshd, but users are still
able to establish the tunnels.
Question: Is there any way of disabling the -g option, used in ssh, in
the config files or do I have to compile with the
--disable-tcp-forwarding (or some other) option ?

The command people in my server is using to establish the tunnel is
(the ports are examples...):
/usr/bin/ssh -a -f -T -x -N -C -g -R 2221:localhost:22 -l theUserName sleep 100000
...then in they use the tunnel with:
/usr/bin/ssh theUserName@localhost -p 2221

Thanks in advance,

Re: Deny remote hosts to connect to local forwarded ports

Quoted text here. Click to load it

Of course -- the example you give involves the local client and remote
server only, so changing the configuration of your local server can have
no effect on it, in any case.

Quoted text here. Click to load it

You do not say what SSH software you're using.  OpenSSH does not have such
an option, either run- or compile-time; does.  It wouldn't be very
effective in any case, since users can simply run their own forwarders
attached to the SSH connection.  You're allowing people to make outbound
network connections with direct access to both ends; they can do with them
what they like.

If you want to lock things down to that extent, you have to control what
programs they can run.  For instance, have a restricted login to the
bastion host, and only allow running your copy of SSH, with forwarding
disabled, to establish terminal sessions.  And of course, you have to shut
down outbound network access for any other hosts.  And it still won't be
entirely effective, because someone could script that on the inside and
run a redirector on the remote side and still get arbitrary connections;
it would simply be more of a pain for someone to do.

  Richard Silverman

Site Timeline