Multiple ssh tunnels limited to certain users

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

in our public hospital we want to let external companies access the
servers they have in maintenance. I would like to do this using a
putty-ssh tunnel.
The problem is that I want that every company can only connect to their
server. With puttys plink the client tells the server where it should be
redirected, e.g.  plink -N -L 3390:winserver:3389 user@linuxserver.
If I have only one ssh server running that autenticate all the users
they can connect to all the servers because they pass the parameters to
putty. Is it possible to configure sshd the way that user A can only
creata a tunnel to server A while user B can only connect to server B ?
If not, is it possible to let sshd listen on different ports and use
different passwd and shadow files and the only permit the access to one
destination server ?

I hope it is clear what we need.

Thank you very much

Re: Multiple ssh tunnels limited to certain users

Hi Andreas,

If each external company only maintains one machine, you could create a
script on the Linux server which automatically forwards the connection
to that one machine. That way it is you who decides where a forward goes
to, instead of a client.

If those companies always work from the same IP address(es), you could
set fixed IP forwards on your Linux machine from those addresses to the
corresponding Windows machines. Not absolutely watertight, but very easy
to implement and use.

You could also limit the forwards that each user can do, but I think
you'll have to use SELinux for that. Could be a good idea, securitywise,
but SELinux has quite a learning curve...

Another option could be to use Kerberos / Active Directory. Using that,
you can assign access to specific servers to specific users. Kerberos is
quite complex though, and would require your externally administered
machines to join a Kerberos realm.

Kind regards,


Andreas Moroder wrote:
Quoted text here. Click to load it

Re: Multiple ssh tunnels limited to certain users

Quoted text here. Click to load it

Shouldn't that script be the connecting user's shell?

Re: Multiple ssh tunnels limited to certain users

Nico Kadel-Garcia wrote:
Quoted text here. Click to load it

Possible, but that's not what I had in mind. There are quite a lot of
nice things possible with the file "authorized_keys". Only now do I
notice that it's even possible to restrict local port forwards. If you
make the authorized_keys readonly for all users, that would be a great
way to restrict access to servers behind the Linux box: an external
party logs into the Linux box and starts a forward to "his" box behind
it. Root administers the authorized_keys and thus the machines to which
he can start a forward. After the forward has been setup, the external
guy can connect to this port and reach the machine behind.

This would require the external parties to use SSH keys, instead of an
interactive login with a password.

Just thinking aloud, btw, haven't tested this. But I know the principle
of starting a command from authorized_keys: that's what I sometimes use
on a SVN server.

Re: Multiple ssh tunnels limited to certain users

Andreas Moroder schrieb:
Quoted text here. Click to load it


I did read the man files last weekend.
What if I start sshd more then once, every time with his own
configuration file and another port. In this file I set

AllowUsers  or AllowGroups to define who can login to this sshd

Now, if someone can tell me how I can set a fixed host where the
connection is redirected to prevent the client can do this here

plink -N -L 3390:destserver:3389 user@linuxserver

the problem should be solved ( or not ? ).

I made a first test and started sshd -i -d -p 27 but i get only
connection refused from my client.


Site Timeline