Forwarding (or tunneling) is the use of SSH to protect another network service. We discuss it in detail in Chapter 9, but here we describe the available serverwide configuration options.

5.7.1 Port Forwarding

SSH’s forwarding (or tunneling) features protect other TCP/IP-based applications by encrypting their connections. We cover forwarding in great detail in Chapter 9, but we introduce here the serverwide configuration keywords for controlling it.

TCP port forwarding can be enabled or disabled by the keyword AllowTcpForwarding, with the value yes (the default) or no:

    AllowTcpForwarding no

Tectia can specify this more selectively for particular users or Unix groups, with the keywords AllowTcpForwardingForUsers, AllowTcpForwardingForGroups, DenyTcpForwardingForUsers, and DenyTcpForwardingForGroups:

    # Tectia
    AllowTcpForwardingForUsers smith
    AllowTcpForwardingForGroups students
    DenyTcpForwardingForUsers evildoer
    DenyTcpForwardingForGroups badguys

The values for these keywords use the same syntax as for AllowUsers, AllowGroups, DenyUsers, and DenyGroups, respectively: [5.5.1] [5.5.2]

    # Tectia with zsh_fileglob or traditional regex syntax
    AllowTcpForwardingForUsers good*@*,*@\i10.1.2.*,12[[:digit:]]
    DenyTcpForwardingForGroups bad*,33[[:digit:]]

    # Tectia with egrep regex syntax
    AllowTcpForwardingForUsers good.*@.*\.friendly\.org,.*@\i10\.1\.2\.*,12[[:digit:]]
    DenyTcpForwardingForGroups bad.*,33[[:digit:]]

Tectia’s ForwardACL keyword provides the most precise ...

Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.