Linux – Restrict SSH Forward Tunneling Destination By User

linuxssh

Can the SSH Forward tunneling destination be restricted on a per user basis?

Example: client 'a' can forward tunnel to 192.168.10.2:22 – only. Client 'b' can forward tunnel to 192.168.11.2:22 – exclusively.

Update

I'm looking to restrict the following tunneling command, on a per user or per group basis:

Requirements:

  • client_a can forward tunnel to 192.168.10.*, exclusive.
  • client_b can forward tunnel to 192.168.11.*, exclusive.

Valid tunneling command (for client_a):

ssh -f client_a@gateway -L localhost:2222:192.168.10.2:22 -N

Invalid tunneling command (for client_a) – SSH connection on gateway should close immediately.

ssh -f client_a@gateway -L localhost:2222:192.168.11.2:22 -N

Valid tunneling command (for client_b):

ssh -f client_b@gateway -L localhost:2222:192.168.11.2:22 -N

Invalid tunneling command (for client_b) – SSH connection on gateway should close immediately.

ssh -f client_b@gateway -L localhost:2222:192.168.10.2:22 -N

Can this restriction be achieved with modifications to the sshd_config?

Best Answer

Assuming its a modern sshd version, /etc/ssh/sshd_config supports the Match and PermitOpen directives, which can be combined to restrict the targets specified by clients setting LocalForward options

PermitOpen
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:

          PermitOpen host:port
          PermitOpen IPv4_addr:port
          PermitOpen [IPv6_addr]:port

Multiple forwards may be specified by separating them with whites- pace. An argument of “any” can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted. https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

So something like this should work...

Match User client_a
    PermitOpen none
    PermitOpen 192.168.10.2:22

Match User client_b
    PermitOpen none
    PermitOpen 192.168.11.2:22

I am not 100% sure of the ordering of those PermitOpens.. (By default all port forwarding requests are permitted.) so you might have to reverse them, or add a Permit none at the appropriate point to block unmatched forwardings.

Or possibly like this;

Match User client_a
    PermitOpen 192.168.10.2:22

Match User client_b
    PermitOpen 192.168.11.2:22

Match User client_a client_b
    PermitOpen none
Related Topic