On Thu, Apr 20, 2006 at 04:33:45PM -0400, [EMAIL PROTECTED] wrote: > Hello! > > I'm looking at using Dropbear to encapsulate non-encrypted protocol > traffic (like SMTP). I would like to limit users' ability to port > forwarding to specific hosts and ports. I have a couple of questions: > > 1) Does Dropbear support this? I know that the Dropbear website says: > "Compatible with OpenSSH ~/.ssh/authorized_keys public key > authentication". But does that mean that it actually obeys "permitopen" > information?
Nope, if keys have any restrictions on them, then Dropbear won't allow those keys to be used. I intend to implement some of OpenSSH's restriction functionality eventually. > 2) Is there a more centralized way of controlling this, preferably > server-wide? I would love to be able to limit the entire SSH server to > forward to only the specific ports on the specific hosts that I want to > access, and use the ~/.ssh/authorized_keys file to define, if necessary, a > *subset* of those ports on a per-user basis. Currently there isn't support for that. It probably wouldn't be too hard to set up a config file that is loaded and then compared for each TCP forwarding request. I don't have time to implement it at the moment though. > I'm surprised that this seems to be such an undocumented area of limiting > SSH's power. Giving users the ability to port forward to *any* host and > *any* port from the outside seems to be significantly dangerous. What am > I missing? The general case is that users have the ability to run arbitrary programs on the host anyway, so port forwarding isn't such a great concern. Cheers, Matt
