Howto disable SSH local port forwarding?

Question

I have a server running Ubuntu and the OpenSSH daemon. Let's call it S1.

I use this server from client machines (let's call one of them C1) to do an SSH reverse tunnel by using remote port forwarding, eg :

ssh -R 1234:localhost:23 login@S1

On S1, I use the default sshd_config file. From what I can see, anyone having the right credentials {login,pwd} on S1 can log into S1 and either do remote port forwarding and local port forwarding. Such credentials could be a certificate in the future, so in my understanding anyone grabbing the certificate can log into S1 from anywhere else (not necessarily C1) and hence create local port forwardings.

To me, allowing local port forwarding is too dangerous, since it allows to create some kind of public proxy. I'm looking for a way tto disable only -L forwardings.

I tried the following, but this disables both local and remote forwarding :

AllowTcpForwarding No

I also tried the following, this will only allow -L to SX:1. It's better than nothing, but still not what I need, which is a "none" option.

PermitOpen SX:1

So I'm wondering if there is a way, so that I can forbid all local port forwards to write something like :

PermitOpen none:none

Is the following a nice idea ?

PermitOpen localhost:1

Answer 1

Another solution would be to only allow port forwarding to specififc users:

From SSH: The definitive guide

Port forwarding can be globally enabled or disabled in sshd. This is done with the serverwide configuration keyword AllowTcpForwarding in /etc/sshd_config. The keyword may have the value yes (the default, enabling forwarding) or no (disabling forwarding):

# SSH1, SSH2, OpenSSH
AllowTcpForwarding no

In addition, SSH2 has the following options:

# SSH2 only
AllowTcpForwardingForUsers
AllowTcpForwardingForGroups

The syntax of these is the same as for the AllowUsers and AllowGroups options. [Section 5.5.2.1, "Account access control"] They specify a list of users or groups that are allowed to use port forwarding; the server refuses to honor port forwarding requests for anyone else. Note that these refer to the target account of the SSH session, not the client username (which is often not known).

...

It's important to realize that the directives in this section don't actually prevent port forwarding, unless you also disable interactive logins and restrict what programs may be run on the remote side. Otherwise, knowledgeable users can simply run their own port-forwarding application over the SSH session. These settings alone might be a sufficient deterrent in a nontechnical community, but they won't stop someone who knows what she's doing.

Answer 2

anyone with login credentials can bring up their own instance of sshd, running on a random port and allow whatever they want, including -L local forwardings:

% /usr/sbin/sshd -d -f mysshd.config -p 12345

if you do not trust the users to do something with your machine then you shouldnt allow them to login in the first place.

(btw, the -D flag is kind of "proxy-problematic" as well)

Answer 3

There is now an option to allow only local / remote forwarding.

AllowTcpForwarding

Specifies whether TCP forwarding is permitted. The available options are “yes” or “all” to allow TCP forwarding, “no” to prevent all TCP forwarding, “local” to allow local (from the perspective of ssh(1)) forwarding only or “remote” to allow remote forwarding only. The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.

So, as stated already you should set the shell to nologin, too.

Answer 4

My solution to this problem was to add: PermitOpen fo.local:80 in the main section of the sshd_config.

This simply denies any request of local forwarding besides fo.local:80.

Answer 5

I'm looking for a way tto disable only -L forwardings

If I understand you correctly, your users have full shell access, but you don't want them to be able to open connections towards the rest of the net.

The "local port forwarding" allowed by SSH is just one of the possible ways to do that. Others include launching an instance of socat, netcat, or any other number of tools.

The best way to control outgoing as well as incoming connections in Linux is Netfilter, aka IPTables.

It has a special module called owner (ipt_owner) which allows you to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.

You can use it to deny outgoing packets generated by certain groups of users, thus disallowing any kind of port forwarding, not just the -L option of SSH.