Forwarding (or tunneling) is the use of SSH to protect another network service. We discuss it in detail in Chapter 9, but here we describe the available serverwide configuration options.
SSH’s forwarding (or tunneling) features protect other TCP/IP-based applications by encrypting their connections. We cover forwarding in great detail in Chapter 9, but we introduce here the serverwide configuration keywords for controlling it.
TCP port forwarding can be enabled or disabled by the keyword
AllowTcpForwarding, with the value
yes (the default) or
Tectia can specify this more selectively for particular users or
Unix groups, with the keywords
# Tectia AllowTcpForwardingForUsers smith AllowTcpForwardingForGroups students DenyTcpForwardingForUsers evildoer DenyTcpForwardingForGroups badguys
# Tectia with zsh_fileglob or traditional regex syntax AllowTcpForwardingForUsers good*@*.friendly.org,*@\i10.1.2.*,12[[:digit:]] DenyTcpForwardingForGroups bad*,33[[:digit:]] # Tectia with egrep regex syntax AllowTcpForwardingForUsers good.*@.*\.friendly\.org,.*@\i10\.1\.2\.*,12[[:digit:]] DenyTcpForwardingForGroups bad.*,33[[:digit:]]
ForwardACL keyword provides the most precise ...