Limiting the forwardable ports for ssh/sshd
Quote from the Ubuntu forums:
http://ubuntuforums.org/showthread.php?t=618733
------------------------------------------------
In the end, I've opted for Pub key authentication.
If it helps anyone, here's what I did...
If yall haver a Better Way (tm), feel free to post.
To configure :
1) Create keys : ssh-keygen -t rsa
2) Make sure they are stored in proper place for ssh to read them
( ex.: On my wrt, /etc/ssh/authorized_keys )
:: Security concern : If the keys are in /etc/ssh/authorized_keys as opposed to ~/.ssh/authorized_keys,
that file must be readable by everyone that connects ( chmod, and possibly chgrp ). Having the keys in the user's homes is potentially safer.
3) cat.pub >> /etc/ssh/authorized_keys
chmod 0600 /etc/ssh/authorized_keys
4) modify key line in /etc/ssh/authorized_keys with :
no-port-forwarding,no-agent-forwarding,permitopen=": ",permitopen="...another one..." ssh-dss
5) If you want the key to be used only for forwarding, while denying the ssh console, add command="/bin/false" to the beginning of the line in 4). This command will be executed first thing as soon as the session is established.
To test :
1) Copy the key ( not the .pub ) to the client home's ~/.ssh/
2) Establish a connection :
ssh -v -L: : :
Note : If using command="/bin/false" as detailed above, you need to add a -N switch to the ssh command, else the ssh session will terminate.
Note : Through me off at first that you DO get a bash prompt on destination machine. With "-v" you'll see that forwarding is disabled.
3) Test the connection : ( in another terminal ) :
ssh -plocalhost
Note : Attempting to connect to anything NOT in permitopen returns : ssh_exchange_identification: Connection closed by remote host
------------------------------------------------