We have a public server that accepts SSH connections from multiple clients behind firewalls.
Each of these clients creates an SSH reverse tunnel using the ssh -R command from its web servers at port 80 to our public server.
The destination port (on the client side) for the reverse SSH tunnel is 80, and the source port (on the shared server side) depends on the user. We plan to maintain a port address map for each user.
For example, client A will tunnel its web server on port 80 to our port 8000; Client B from 80 to 8001; Client C from 80 to 8002.
Client A: ssh -R 8000:internal.webserver:80 clienta@publicserver Client B: ssh -R 8001:internal.webserver:80 clientb@publicserver Client C: ssh -R 8002:internal.webserver:80 clientc@publicserver
Basically, we are trying to associate each user with a port and not allow them to tunnel to any other ports.
If we used the direct SSH tunneling feature with ssh -L , we could enable tunneling of this port using the permitopen=host:port configuration. However, there is no equivalent for an SSH reverse tunnel.
Is there a way to restrict reverse tunneling ports for each user?
source share