Hello! I'm looking at using Dropbear to encapsulate non-encrypted protocol traffic (like SMTP). I would like to limit users' ability to port forwarding to specific hosts and ports. I have a couple of questions:
1) Does Dropbear support this? I know that the Dropbear website says: "Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication". But does that mean that it actually obeys "permitopen" information? 2) Is there a more centralized way of controlling this, preferably server-wide? I would love to be able to limit the entire SSH server to forward to only the specific ports on the specific hosts that I want to access, and use the ~/.ssh/authorized_keys file to define, if necessary, a *subset* of those ports on a per-user basis. I've thought about using Shorewall/iptables to do the centralized port/host control, but that seems like a fair bit of a hassle, when all I want to do is limit *Dropbear*, not the entire system... I'm surprised that this seems to be such an undocumented area of limiting SSH's power. Giving users the ability to port forward to *any* host and *any* port from the outside seems to be significantly dangerous. What am I missing? Thank you very much for your thoughts. I appreciate your help. Tim Massey
