SSH Reference Manual

attribute defines a list of host/port combinations that a user is allowed to reach via a specific SSH2 instance. No pattern

matching is allowed but several hosts can be defined and several ports can be specified per host.

set, the SSH2 process limits access to the configured host/port combinations only when starting an outgoing connection

for that user.

Restricting Local Ports used for Port Forwarding

In an environment in which some users should not be allowed to listen on any (unused) local ports for forwarding

purposes, a list of allowed 0.0.0.0/port and 127.0.0.1/port combinations can be defined. The RESTRICTION-PROFILE

attribute PERMIT-LISTEN holds this list.

For remote clients, the user specified in the incoming SSH request is checked against SSHCTL.

If a user should not be permitted to open a tunnel to any host/port for forwarding purposes, administrators can configure

This forwarding restriction is applied if the attribute RESTRICTION-PROFILE is set in the user record and the

PERMIT-OPEN attribute is configured in the corresponding restriction profile.

Restricting access to forwarding tunnels

hosts have access to the tunnel. Using the RESTRICTION-PROFILE attribute FORWARD-FROM, a list of hosts/IP

addresses/patterns can be defined that identify those hosts that are allowed to use a tunnel created by a specific user. In

this case, the list of allowed hosts is determined by the user who opened the tunnel, if configured accordingly.

For remote clients the user specified in the incoming SSH request is checked against SSHCTL.

This forwarding-from restriction is applied if the RESTRICTION-PROFILE attribute of the user record is set and the

FORWARD-FROM attribute of the corresponding restriction profile record is configured.