I have found how to restrict TCP tunnels on a per user basis. Now I would like to give some users/groups access to multiple clients in the network.
When I follow the instructions from the OpenSSH server documentation, I can’t restart the OpenSSH server.
From the documentation:
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:
PermitOpen host:port PermitOpen IPv4_addr:port PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with whitespace. An argument of any can be used to remove all restrictions and permit any forwarding requests. An argument of none can be used to prohibit all forwarding requests. The wildcard ‘*’ can be used for host or port to allow all hosts or ports, respectively. By default all port forwarding requests are permitted.
I’m using these settings:
Match Group SSHTunnel_WebUI AllowTcpForwarding yes PermitOpen="gitlab.company.de:80 wiki.company.de:80"
When I remove the second
FQDN:port, then I can restart
sshd, otherwise I get an error message complaining about the configuration file. Other similar rules, but with only one
FQDN:port setting work as expected.
How to format the settings string?
The error message as given by
Jan 08 00:45:56 wiki sshd: /etc/ssh/sshd_config line 150: bad port number in PermitOpen Jan 08 00:45:56 wiki systemd: ssh.service: Control process exited, code=exited status=255 Jan 08 00:45:56 wiki systemd: ssh.service: Failed with result 'exit-code'. Jan 08 00:45:56 wiki systemd: Failed to start OpenBSD Secure Shell server. -- Subject: Unit ssh.service has failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit ssh.service has failed. -- -- The result is RESULT. Jan 08 00:45:56 wiki systemd: ssh.service: Service hold-off time over, scheduling restart. Jan 08 00:45:56 wiki systemd: ssh.service: Scheduled restart job, restart counter is at 5.
Related but not applicable questions and links:
The format of
PermitOpen is a space separated list of host:port pairs. However, the configuration example you gave has quotation marks. These are not permitted.
Use no quotation marks (and the
= is also optional):
PermitOpen gitlab.company.de:80 wiki.company.de:80
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.