Created attachment 2977 [details] Add "permitlisten" support for -R style forward Hi there, my apologies for duplicating this message here. I saw too late that there is also a public bug tracker. This patch adds support for per-key restriction of -R style forwards via a "permitlisten"-option in the authorized_keys file -- similar to the "permitopen"-option for -L style forwards. This is desirable if you want to have restricted accounts/keys that can only be used for -R style forwards on certain ports. With this example authorized_keys file: restrict,permitlisten="localhost:8080" ssh-rsa AAAAB3Nza... This is allowed: $ ssh -R 8080:localhost:80 root at localhost -N While this is not allowed (note port 8081): $ ssh -R 8081:localhost:80 root at localhost -N Error: remote port forwarding failed for listen port 8081 This is a preliminary patch (no support for a servconf option "PermitListen" yet), because I wanted to get early feedback before continuing. Do you think this approach is correct? Would this be a desirable feature? Is "permitlisten" the correct name for this? Or would "permitropen", "permitremoteopen" be better suited? Best, Philipp Heckel WIP branch/pull: https://github.com/openssh/openssh-portable/pull/65 Mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-May/036000.html
PermitListen (configuration directive) and a permitlisten authorized_keys directive were added in OpenSSH 7.8
closing resolved bugs as of 8.6p1 release