[This Machine is 192.168.80.125]
Normal SSH Rules to allow all basic access:
AllowUsers user1
PubkeyAuthentication yes
PasswordAuthentication no
AllowTcpForwarding yes
UsePAM no
Match Group test
AllowUsers user2@IP1 user2@IP2 user2@IP3 user2@IP4
PubkeyAuthentication yes
PasswordAuthentication yes
AllowTcpForwarding yes
PermitOpen 192.168.80.100:80
PermitOpen 192.168.80.125:443
AllowAgentForwarding no
When I am connecting to the sshd from IP1 as user2 I can connect, I open my tunnel with PuTTY:
Local S:IP1:8080
Remote D:192.168.80.100:80
Local Src :IP1:8443
Remote Dest :192.168.80.125:443
I open my browser and browse to localhost:8080 I get connection reset.
I open my browser and browse to localhost:8443 I get connection reset.
I check SSH Log:
192.168.80.125 authlog: Received request to connect to host 192.168.80.100 port 80, but the request was denied.
192.168.80.125 authlog: Received request to connect to host 192.168.80.125 port 443, but the request was denied.]
Event Log: Opening connection to 192.168.80.125:443 for forwarding from [::1]:3585
Outgoing packet : (SSH2_MSG_CHANNEL_OPEN)
Incoming packet : (SSH2_MSG_CHANNEL_OPEN_FAILURE)
Event Log: Forwarded connection refused by server: Administratively prohibited [open failed]
OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g 1 Mar 2016
I can successfully reach the resources at 192.168.80.125:80 / 192.168.80.125:443 when using SSH as user1 and pubkey/etc and TCP Forward works correctly to anything.
I had the PermitOpen setup first and this worked. I then added the user2@ restrictions and this is what broke this.
Is there a better way to do this? I want to ensure user2 can only tunnel to the specified resources and can only login from specified IP.
I also noticed that when I login as user2 and switch to user1 the forwarding rules are still based off user2.
Best Answer
Well this is embarrassing. Apparently I had the incorrect syntax for PermitOpen.
I found that if you list multiple lines of PermitOpen only the first line is actually active.
The correct syntax:
PermitOpen <IP>:<port> <IP>:<port> <IP>:<port>
... And so on, on one line.