[Gllug] Disabling ssh port forwarding per user
robert at mckay.com
Wed Dec 7 19:01:01 UTC 2011
On Wed, Dec 7, 2011 at 4:08 PM, Tethys . <tethys at gmail.com> wrote:
> I want to disable port/agent forwarding when logging in as a given
> user. In that user's authorized keys file, I can prefix each key with
> the relevant options:
> no-agent-forwarding,no-port-forwarding ssh-dss <my_public_key>
> However, this is somewhat clumsy. I'm effectively having to restrict
> it per client-side user and thus I need to add the relevant options
> whenever I add a new public key, where what I really want to do is
> restrict it per server-side user so I only need to do it once. It also
> doesn't prevent port forwarding when logging in with a password. Is it
> possible to do those two things (with openssh)?
As far as I know it isn't possible. Your best bet might be to setup
another sshd on a different port or different IP that has port
forwarding disabled globally.
You could set it to look in a different location (AuthorizedKeysFile
directive) for the authorized_keys file so that users can't log in via
the normal sshd.
Gllug mailing list - Gllug at gllug.org.uk
More information about the GLLUG