# Disable ssh -D

## bormooski

My company is creating a bastion host to allow access to our prod env, and one thing that we want to prevent users from doing is creating an ssh proxy (ssh -D xxxx user@host).  i dont see any ability way to disable the DynamicForward directive.  am i missing something?

----------

## Sven Vermeulen

If you disable tcp forwarding, the dynamic forwarding should be disabled as well.

----------

## bormooski

per the man pages...

     AllowTcpForwarding

             Specifies whether TCP forwarding is permitted.  The default is

             ``yes''.  Note that disabling TCP forwarding does not improve

             security unless users are also denied shell access, as they can

             always install their own forwarders.

so this doesnt actually solve the issue.  we want to prevent users from being able to issue this command.

----------

## boerKrelis

Take a look at net-proxy/sshproxy. It makes for a tighly controlled bastion setup. And maybe you can get around the forwarding issue.

You could also use iptables and 'owner match' to reject egress traffic from the bastion box to unwanted destinations.

----------

## timeBandit

Moved from Gentoo Chat to Networking & Security.

----------

