Enabling Port Forwarding Over SSH When It's "administratively Prohibited"

Posted3 months agoActive3 months ago

nticompass

5 points

4 comments

blog.computers.picturesTechstory

calmpositive

Debate

20/100

SSHNetworkingSecurity

Key topics

SSH

Networking

Security

The post describes a technique to enable port forwarding over SSH even when it's administratively prohibited, and the discussion revolves around the usefulness and potential security implications of this technique.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

17m

Peak period

0-2h

Avg / period

1.3

Key moments

01Story posted
Oct 15, 2025 at 12:43 PM EDT
3 months ago
Step 01
02First comment
Oct 15, 2025 at 1:00 PM EDT
17m after posting
Step 02
03Peak activity
2 comments in 0-2h
Hottest window of the conversation
Step 03
04Latest activity
Oct 16, 2025 at 7:36 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (4 comments)

Showing 4 comments

Bender

3 months ago

1 reply

No idea why they would do this, but they did.

Hardening in sshd_config to prevent arbitrary network access behind the firewall where the firewall would otherwise not permit. If one can get around this then the host itself may be missing proper outbound owner-based firewall rules varies by compliance requirements.

nticompassAuthor

3 months ago

1 reply

I'd understand if there was a firewall rule to prevent me from port forwarding to another machine on the same network, but this is the same machine (localhost).

Bender

3 months ago

1 reply

That is the hardening I was referring to in sshd [1] itself. I updated my comment to clarify sshd_config. Without specifying permitopen and permitlisten one could for example access a service that for whatever reason does not use proper access and authentication controls such as an old installation of reddis listening on 127.0.0.1:6379. Something else to read up on is PermitTunnel and the global forwarding option of AllowTcpForwarding and AllowStreamLocalForwarding. Beyond that another thing to research is MaxSessions which can be abused by phishers that get a shell on ones laptop and facilitating the unlogged bypass of MFA/2FA.

Another option to read up on is "Match" which can modify options for specific users, groups, networks or ports. For example we can disable port forwarding for Bob and enable port forwarding for Alice.

To further limit what that host can talk to one can use the Netfilter "owner" module to limit outbound connections by user or group. So for example only the LDAP user can talk to the LDAP server.

    # sshd -T | grep permit[l-o]
    permitopen 10.10.1.1:80
    permitlisten 10.10.1.1:80

Each org may have different audit and regulatory requirements that determine which if any of these options are utilized. Development orgs and small startups rarely use any of them due to perception of friction.

[1] - https://man7.org/linux/man-pages/man5/sshd_config.5.html

nticompassAuthor

3 months ago

I guess I don't know all the settings/permissions that SSH can do. I assumed that once I was connected, I could just do whatever I wanted (or whatever my user had permission to do). Thanks for the information!

View full discussion on Hacker News

ID: 45595212Type: storyLast synced: 11/17/2025, 10:08:07 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN