Can the SSH Forward tunneling destination be restricted on a per user basis?
Example: client 'a' can forward tunnel to 192.168.10.2:22 – only. Client 'b' can forward tunnel to 192.168.11.2:22 – exclusively.
Update
I'm looking to restrict the following tunneling command, on a per user or per group basis:
Requirements:
- client_a can forward tunnel to 192.168.10.*, exclusive.
- client_b can forward tunnel to 192.168.11.*, exclusive.
Valid tunneling command (for client_a):
ssh -f client_a@gateway -L localhost:2222:192.168.10.2:22 -N
Invalid tunneling command (for client_a) – SSH connection on gateway should close immediately.
ssh -f client_a@gateway -L localhost:2222:192.168.11.2:22 -N
Valid tunneling command (for client_b):
ssh -f client_b@gateway -L localhost:2222:192.168.11.2:22 -N
Invalid tunneling command (for client_b) – SSH connection on gateway should close immediately.
ssh -f client_b@gateway -L localhost:2222:192.168.10.2:22 -N
Can this restriction be achieved with modifications to the sshd_config?
Best Answer
Assuming its a modern sshd version, /etc/ssh/sshd_config supports the
Match
andPermitOpen
directives, which can be combined to restrict the targets specified by clients setting LocalForward optionsSo something like this should work...
I am not 100% sure of the ordering of those PermitOpens.. (
By default all port forwarding requests are permitted.
) so you might have to reverse them, or add aPermit none
at the appropriate point to block unmatched forwardings.Or possibly like this;