Restrict SSH access to port forwarding to one specific port

Shell_terminalAllowing access to an unprotected service on a server is always a problem. Sometimes the easiest way is to not expose this service to the network but allow access via ssh port-forwarding, but how to limit the SSH account to only port-forward to one specific service? This post will describe how.

There are a lot of possibilities to limit and restrict an ssh account. As already described in Restrict Linux User to SCP to his home directory, an ssh account can be locked into a certain area on the server, but port-forwarding can allow someone to access services though the ssh connection which are normally not accessible directly.

Plain ssh offers a series of configuration options to be placed in various places to limit and control access. Inside the user’s authorized keys, settings can be provided for a specific ssh-key.

In the ~/.ssh/authorized_keys file the following options can be set to restrict access to port-forwarding to one specific port.

command="echo 'Port forwarding only account.'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:8080",permitopen="" ssh-rsa AAAA...GdaAR

Going through the options will show what these options restrict or permit.

This command is executed after successful login. The command option shows the text ‘Port forwarding only account.’ to users that try to login to the server without the -N option.
With this option enabled, X11 forwarding will be disabled.
The ssh-agent forwarding is disabled with the no-agent-forwarding option.
Disallows the user from getting access to a shell.
This option will disallow port-forwarding entirely. The permitopen option below allows exceptions from that restriction.
Based on the above no-port-forwarding, this option defines a certain port-forwarding to be allowed while every other port-forwarding is not allowed. In the above example, this option is repeated twice. Once for the use of the name “localhost” and a second time for the IP address.

With the parameters explained, the configuration as shown above, allows the user who authenticates with this SSH key to only create a port-forwarding to the localhost (or the IP equivalent) port 8080.

Read more of my posts on my blog at

This entry was posted in Linux Administration, Security and tagged , . Bookmark the permalink.