[Gllug] Disabling ssh port forwarding per user

Robert McKay robert at mckay.com
Wed Dec 7 19:01:01 UTC 2011

On Wed, Dec 7, 2011 at 4:08 PM, Tethys . <tethys at gmail.com> wrote:
> I want to disable port/agent forwarding when logging in as a given
> user. In that user's authorized keys file, I can prefix each key with
> the relevant options:
>        no-agent-forwarding,no-port-forwarding ssh-dss <my_public_key>
> However, this is somewhat clumsy. I'm effectively having to restrict
> it per client-side user and thus I need to add the relevant options
> whenever I add a new public key, where what I really want to do is
> restrict it per server-side user so I only need to do it once. It also
> doesn't prevent port forwarding when logging in with a password. Is it
> possible to do those two things (with openssh)?

As far as I know it isn't possible. Your best bet might be to setup
another sshd on a different port or different IP that has port
forwarding disabled globally.

You could set it to look in a different location (AuthorizedKeysFile
directive) for the authorized_keys file so that users can't log in via
the normal sshd.

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list