We have a customer with a remote server who wants to restrict times we can access the server (most customers we have on-demand access initiated locally).
I'm setting up a script for them so they can just kick it off and it will SSH to our side with a specific account and set up the Remote Tunnel (-R) so we can hit their server from that point.
My issue is that I'm not sure how to lock it down properly so we can access a reverse tunnel, but he can't simultaneously create a Local Forward (-L). sshd_config
allows me to restrict forwards.
Match User user1
GatewayPorts yes
AllowTcpForwarding yes
PermitOpen 127.0.0.1:12345
Now, this would allow him to create a reverse tunnel so we can connect back to them using protocol YYY, but at the same time, it would also allow him to create a local tunnel back to us on the same port.
Am I understanding things correctly? Is there a way to allow Reverse Tunnels, but deny all Local Forwards?
Best Answer
sshd_config man page has it all:
In your case you likely need:
and possibly PermitOpen is irrelevant to remote port forwarding.