Reverse tunneling SSH keys with port limitations on both ends?
by Turbocapitalist from LinuxQuestions.org on (#5GQB1)
I am looking to find a way to use public key options, or any other method, to forceably limit ports on both ends of a reverse tunnel over SSH.
If I set up a reverse tunnel initiated from system A to system B, where port 4406 on B is connected to port 3306 on A:
Code:ssh -R 4406:localhost:3306 serverB.example.comI can then limit the choice of port available on B by using the PermitListen option within the public key as recorded in system B's account's authorized_keys file.
Code:$ hostname
serverB.example.com
$ grep -w 4406 ~/.ssh/authorized_keys
restrict,port-forwarding,permitlisten="localhost:4406" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCmE1i8zP2Edb+JJv0dYHwhn0d91cqJTrhT8AiiidE6GdfMQqQtwBQ5jcm+PLeJ5Fw6OGPMTKRGCRFXpvtPUfyI=How do I then also limit the choice of ports on the other end of the connection? That is to say, limit which port the key can use on the originating system. I've experimented with the PermitOpen option but it is not relevant here because it affects only -L regular forwarding, not reverse forwarding. I expect I have missed something fairly obvious?
If I set up a reverse tunnel initiated from system A to system B, where port 4406 on B is connected to port 3306 on A:
Code:ssh -R 4406:localhost:3306 serverB.example.comI can then limit the choice of port available on B by using the PermitListen option within the public key as recorded in system B's account's authorized_keys file.
Code:$ hostname
serverB.example.com
$ grep -w 4406 ~/.ssh/authorized_keys
restrict,port-forwarding,permitlisten="localhost:4406" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCmE1i8zP2Edb+JJv0dYHwhn0d91cqJTrhT8AiiidE6GdfMQqQtwBQ5jcm+PLeJ5Fw6OGPMTKRGCRFXpvtPUfyI=How do I then also limit the choice of ports on the other end of the connection? That is to say, limit which port the key can use on the originating system. I've experimented with the PermitOpen option but it is not relevant here because it affects only -L regular forwarding, not reverse forwarding. I expect I have missed something fairly obvious?