Allow SSH Reverse Tunneling (-R) but Not Local Forwarding (-L)

sshssh-tunnel

We have a customer with a remote server who wants to restrict times we can access the server (most customers we have on-demand access initiated locally).

I'm setting up a script for them so they can just kick it off and it will SSH to our side with a specific account and set up the Remote Tunnel (-R) so we can hit their server from that point.

My issue is that I'm not sure how to lock it down properly so we can access a reverse tunnel, but he can't simultaneously create a Local Forward (-L). sshd_config allows me to restrict forwards.

Match User user1
    GatewayPorts       yes
    AllowTcpForwarding yes
    PermitOpen         127.0.0.1:12345

Now, this would allow him to create a reverse tunnel so we can connect back to them using protocol YYY, but at the same time, it would also allow him to create a local tunnel back to us on the same port.

Am I understanding things correctly? Is there a way to allow Reverse Tunnels, but deny all Local Forwards?

Best Answer

sshd_config man page has it all:

 AllowTcpForwarding
         Specifies whether TCP forwarding is permitted.  The available
         options are yes (the default) or all to allow TCP forwarding, no
         to prevent all TCP forwarding, local to allow local (from the
         perspective of ssh(1)) forwarding only or remote to allow remote
         forwarding only.  Note that disabling TCP forwarding does not
         improve security unless users are also denied shell access, as
         they can always install their own forwarders.

In your case you likely need:

Match User user1
    GatewayPorts       yes
    AllowTcpForwarding remote
    PermitOpen         127.0.0.1:12345

and possibly PermitOpen is irrelevant to remote port forwarding.

Related Topic