How to create a restricted SSH user for port forwarding?


Parent page: Internet and Networking >> SSH

Port forwarding via SSH (SSH tunneling) creates a secure connection between a local computer and a remote machine through which services can be relayed. Because the connection is encrypted, SSH tunneling is useful for transmitting information that uses an unencrypted protocol, such as IMAP, VNC, or IRC.

SSH's port forwarding feature can smuggle various types of Internet traffic into or out of a network. This can be used to avoid network monitoring or sniffers, or bypass badly configured routers on the Internet. Note: You might also need to change the settings in other programs (like your web browser) in order to circumvent these filters.

There are three types of port forwarding with SSH:

Local port forwarding: connections from the SSH client are forwarded via the SSH server, then to a destination server

Remote port forwarding: connections from the SSH server are forwarded via the SSH client, then to...

0 0

My goal is to have these things working:

User can connect to Server via sftp. He can only read contents from his home directory (hence, he can use sftp user@host) User can connect to Server and open a remote port for port forwarding (hence, he can use ssh -R remote_port:localhost:port user@host) User can not do anything but those two things. He should not have normal shell access and should not be able to run commands.

I can get either case to work, but not both at the same time.

My /etc/sshd_config is:

Match Group restricted ChrootDirectory /home/restricted/users AllowAgentForwarding no X11Forwarding no AllowTcpForwarding yes ForceCommand internal-sftp

Obviously this is the working case for sftp. With this configuration, it is impossible to open a remote port for port forwarding.

The only way for me currently to allow tcp forwarding is disabling the ForceCommand and the ChrootDirectory directives.

Also, I have to change the shell to...

0 0

What Is SSH Port Forwarding, aka SSH Tunneling?

SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines. It can also be abused by hackers and malware to open access from the Internet to the internal network. See the SSH tunneling page for a broader overview.

Local Forwarding

Local forwarding is used to forward a port from the client machine to the server machine. Basically, the SSH client listens for connections on a configured port, and when it receives a connection, it tunnels the connection to an SSH server. The server connects to a configurated destination port, possibly on a different machine than the SSH server.

Typical uses for local port forwarding...

0 0

Yes, this is another attempt of writing

3-minutes Linux guide

. This round, it’s about how to setup or configure SSH Local Port Forwarding in 3 minutes (or maybe less)!

Why using SSH port forwarding? In brief, SSH port forwarding easily provides a secured tunnel for those insecure or unencrypted TCP connections, such as rcp, POP3, VNC, etc.

SSH Port Forwarding Configuration

Visualize SSH Port Forwarding that encrypting insecure TCP connection with SSH tunnel, i.e. via SSH protocol!

Suppose that Walker-A ( and Walker-B ( are both running on Red Hat Enterprise Linux in the office data centre. Walker-C ( is a desktop PC running on Windows Vista Ultimate with Putty SSH client (Windows Vista compatible networking freeware).

Let’s say Walker-A is running Real VNC server that listening to its local port 5907. As you probably know that the default Real VNC connection is not secured or encrypted,...

0 0

Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively.

Local port forwarding forwards traffic coming to a local port to a specified remote port. For example, all traffic coming to port 1234 on the client could be forwarded to port 23 on the server (host).

Note: The value of localhost is resolved after the Secure Shell connection has been established -- so when defining local forwarding (outgoing tunnels), localhost refers to the server (remote host computer) you have connected to.

Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port. For example, all traffic coming to port 1234 on the server (host) could be forwarded to...

0 0

The ssh system has a lot of magic to offer: ssh-key authentication, ssh-agent, and one of the lesser-known tricks — port forwarding. With ssh, port forwarding creates encrypted tunnels between local computers and remote machines such that various services can be relayed. With this connection, you can then send useful information (that would normally be unencrypted) through an encrypted connection.

Port forwarding can also be used to gain access to a server that wouldn't normally be accessible. This makes it possible to reach a remote machine with a bit more security, or to grant a temporary, encrypted tunnel to your machine from another. One added bonus of using port forwarding is, thanks to the encryption of the tunnels, you can bypass sniffers or even badly configured routers.

Types of port forwarding

There are three types of SSH port forwarding:

Local port forwarding - connections from an SSH client are forwarded, via the SSH server, to a destination...
0 0

port forwarding using ssh

If you are:

working on a computer A that has an ssh client installed have an ssh account (username) on a computer B and you can connect to username from computer A, with the following url (or IP): b want to connect to a computer C but you don't have direct access (because of proxy's and/or firewalls), with the following url (or IP): c

You will be able to create an ssh tunneling or port forwarding that will work with any application connected to localhost or the local IP of your computer. Your application contacts localhost on port pA. The ssh tunnel will forward this to your desired port pC on computer C.

On computer A, open a terminal and type:

ssh -N -L pA:c:pC username@b

Then enter your pasword for username.

Now you can use your application on localhost with port pA in order to connect to c on port pC..

Example: if your account on computer B is bill, if computer B is at, if computer C is at...

0 0
0 0

0) You need yourself a machine which has an open ssh port (22 by default) to the internet for this to work (herein referred to as It doesn’t have to be your machine, it can be a third party machine that you have a login to. All it needs is to be running openssh on it. A node, or a dreamhost shell account, anything like these will do.

You’ll also need a login on .com (herein: for your friend (or they can borrow yours) as well as a login on your friend’s machine (duh) and preferrably also root on your friend’s machine (if only temporary).

1) When you first help your friend setup their computer add an extra desktop shortcut for them which will run the following command (or walk them through typing in this command)

ssh -C -R 8888:localhost:22

When your friend runs this command it will prompt for a password. Now you can either give them their own username and password on the open-to-the-world...

0 0

There are two ways to create an SSH tunnel, local and remote port forwarding (there’s also dynamic forwarding, but we won’t cover that here). The best way to understand these is by an example, let’s start with local port forwarding.

Imagine you’re on a private network which doesn’t allow connections to a specific server. Let’s say you’re at work and is being blocked. To get around this we can create a tunnel through a server which isn’t on our network and thus can access Imgur.

The key here is -L which says we’re doing local port forwarding. Then it says we’re forwarding our local port 9000 to, which is the default port for HTTP. Now open your browser and go to http://localhost:9000.

The awesome thing about SSH tunnels is that they are encrypted. Nobody is going to see what sites you’re visiting, they’ll only see an SSH connection to your server.

Connecting to a database behind a firewall

Another good example is if you need...

0 0