Forwarding
Forwarding (or tunneling) is the use of SSH to protect another network service. We discuss it in detail in Chapter 9, but here we describe the available serverwide configuration options.
5.7.1 Port Forwarding
SSH’s forwarding (or tunneling) features protect other TCP/IP-based applications by encrypting their connections. We cover forwarding in great detail in Chapter 9, but we introduce here the serverwide configuration keywords for controlling it.
TCP port forwarding can be enabled or disabled by the keyword AllowTcpForwarding, with the value yes (the default) or no:
AllowTcpForwarding no
Tectia can specify this more selectively for particular users or
Unix groups, with the keywords AllowTcpForwardingForUsers, AllowTcpForwardingForGroups, DenyTcpForwardingForUsers, and DenyTcpForwardingForGroups:
# Tectia
AllowTcpForwardingForUsers smith
AllowTcpForwardingForGroups students
DenyTcpForwardingForUsers evildoer
DenyTcpForwardingForGroups badguysThe values for these keywords use the same syntax as for
AllowUsers, AllowGroups, DenyUsers, and DenyGroups, respectively: [5.5.1] [5.5.2]
# Tectia with zsh_fileglob or traditional regex syntax
AllowTcpForwardingForUsers good*@*.friendly.org,*@\i10.1.2.*,12[[:digit:]]
DenyTcpForwardingForGroups bad*,33[[:digit:]]
# Tectia with egrep regex syntax
AllowTcpForwardingForUsers good.*@.*\.friendly\.org,.*@\i10\.1\.2\.*,12[[:digit:]]
DenyTcpForwardingForGroups bad.*,33[[:digit:]]Tectia’s ForwardACL keyword provides the most precise ...
Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
