Ssh – Why SSH allows me to create multiple local tunnels on same port

sshssh-tunnel

As you can see I get error message when I try to create another tunnel listening on local port that is already used but the tunnel is created. Can I force ssh to not create tunnel on given port when there is another process that is using given port?

┌─[wakatana@~] [79 files, 89Mb]
└──> ps -elf | grep 'ssh -fN'
1 S wakatana     4263     1  0  80   0 - 10660 -      May02 ?        00:00:00 ssh -fN -L 5901:localhost:5901 root@MY.PUB.IP.ADDR
0 S wakatana     6340  4754  0  80   0 -  1959 -      00:22 pts/7    00:00:00 grep --color=auto ssh -fN

┌─[wakatana@~] [79 files, 89Mb]
└──> ssh -fN -L 5900:192.168.1.1:3389 root@MY.PUB.IP.ADDR
┌─[wakatana@~] [79 files, 89Mb]
└──> ps -elf | grep 'ssh -fN'
1 S wakatana     4263     1  0  80   0 - 10660 -      May02 ?        00:00:00 ssh -fN -L 5901:localhost:5901 root@MY.PUB.IP.ADDR
1 S wakatana     6371     1  0  80   0 - 10355 -      00:22 ?        00:00:00 ssh -fN -L 5900:192.168.1.1:3389 root@MY.PUB.IP.ADDR
0 S wakatana     6381  4754  0  80   0 -  1959 -      00:22 pts/7    00:00:00 grep --color=auto ssh -fN

┌─[wakatana@~] [79 files, 89Mb]
└──> ssh -fN -L 5900:192.168.1.3:3389 root@MY.PUB.IP.ADDR
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 5900
Could not request local forwarding.
┌─[wakatana@~] [79 files, 89Mb]
└──> ps -elf | grep 'ssh -fN'
1 S wakatana     4263     1  0  80   0 - 10660 -      May02 ?        00:00:00 ssh -fN -L 5901:localhost:5901 root@MY.PUB.IP.ADDR
1 S wakatana     6371     1  0  80   0 - 10355 -      00:22 ?        00:00:00 ssh -fN -L 5900:192.168.1.1:3389 root@MY.PUB.IP.ADDR
1 S wakatana     6391     1  0  80   0 - 10355 -      00:23 ?        00:00:00 ssh -fN -L 5900:192.168.1.3:3389 root@MY.PUB.IP.ADDR
0 R wakatana     6401  4754  0  80   0 -  1958 -      00:23 pts/7    00:00:00 grep --color=auto ssh -fN

Best Answer

I tried to think about how to tidy your question up, but don't have time. I can answer it for you: You need the 'ExitOnForwardFailure' option set to yes.

$ ssh -fN -o ExitOnForwardFailure=yes -L 5900:192.168.1.1:3389 root@MY.PUB.IP.ADDR
$ ssh -fN -o ExitOnForwardFailure=yes -L 5900:192.168.1.3:3389 root@MY.PUB.IP.ADDR 
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 5900
Could not request local forwarding.
$ ps auwwx | grep ssh | grep 1111
daniel          94948   0.0  0.0  2461204    520   ??  Ss    2:56pm   0:00.00 ssh -Nf -o ExitOnForwardFailure=yes -L 5900:192.168.1.1:3389 MY.PUB.IP.ADDR

sshd_config

You can designate (for your particular use case) a group, such as proxy-only or Match individual users. In sshd_config. This is done after the global settings and revokes, repeats or refines some of the settings given in the global settings.

Note: some of the syntax/directives used in sshd_config(5) are documented in the man page for ssh_config(5). In particular make sure to read the PATTERNS section of ssh_config(5).

For a group this means your Match block would begin like this:

Match group proxy-only

You can Match the following criteria: User, Group, Host, LocalAddress, LocalPort and Address. To match several criteria simply comma-separate the criteria-pattern pairs (group proxy-only above).

Inside such a block, which is traditionally indented accordingly for brevity (but needn't to), you can then declare the settings you want to apply for the user group without having to edit every single authorized_keys file for members of that group.

The no-pty setting from authorized_keys would be mirrored by a PermitTTY no setting and command="/sbin/nologin" would become ForceCommand /sbin/nologin.

Additionally you can also set more settings to satisfy an admin's paranoia, such as chroot-ing the user into his home folder and would end up with something like this:

Match group proxy-only
    PermitTTY no
    ForceCommand /sbin/nologin
    ChrootDirectory %h
    # Optionally enable these by un-commenting the needed line
    # AllowTcpForwarding no
    # GatewayPorts yes
    # KbdInteractiveAuthentication no
    # PasswordAuthentication no
    # PubkeyAuthentication yes
    # PermitRootLogin no

(check yourself whether you need or want the commented out lines and uncomment as needed)

The %h is a token that is substituted by the user's home directory (%u would yield the user name and %% a percent sign). I've found ChrootDirectory particularly useful to confine my sftp-only users:

Match group sftp-only
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory %h
    ForceCommand internal-sftp
    PasswordAuthentication no

Please mind that only certain directives can be used in a Match block. Consult the man page sshd_config(5) for details (search for Match).

authorized_keys

NB: the part below this remark was my original answer. Meanwhile - but it also depends on the features of your exact sshd version - I would go for the method described above in most cases.

Yes you can, as fine-grained as you can assign public keys. In addition to nologin as recommended by ajdecon, I would suggest setting the following in front of the key entry in authorized_keys:

no-pty ssh-rsa ...

The no pty tells the server-side that no pseudo-terminal should be allocated for that key.

You can also force the execution of something like nologin for a particular key by prepending this:

command="/sbin/nologin",no-pty ssh-rsa ...

Best Answer

Related Solutions

Sql-server – Why can’t I connect to remote Microsoft SQL Server through SSH tunnel

Ssh – disable interactive shell access while tunneling web traffic through SSH

sshd_config

authorized_keys

Related Topic