Allow SSH Reverse Tunneling (-R), but not Local Forwarding (-L)?

Question

We have a customer with a remote server who wants to restrict times we can access the server (most customers we have on-demand access initiated locally).

I'm setting up a script for them so they can just kick it off and it will SSH to our side with a specific account and set up the Remote Tunnel (-R) so we can hit their server from that point.

My issue is that I'm not sure how to lock it down properly so we can access a reverse tunnel, but he can't simultaneously create a Local Forward (-L). sshd_config allows me to restrict forwards.

Match User user1 GatewayPorts yes AllowTcpForwarding yes PermitOpen 127.0.0.1:12345 

Now, this would allow him to create a reverse tunnel so we can connect back to them using protocol YYY, but at the same time, it would also allow him to create a local tunnel back to us on the same port.

Am I understanding things correctly? Is there a way to allow Reverse Tunnels, but deny all Local Forwards?

Answer 1

sshd_config man page has it all:

 AllowTcpForwarding Specifies whether TCP forwarding is permitted. The available options are yes (the default) or all to allow TCP forwarding, no to prevent all TCP forwarding, local to allow local (from the perspective of ssh(1)) forwarding only or remote to allow remote forwarding only. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. 

In your case you likely need:

Match User user1 GatewayPorts yes AllowTcpForwarding remote PermitOpen 127.0.0.1:12345 

and possibly PermitOpen is irrelevant to remote port forwarding.