SSH Local Forward about the-bastion HOT 2 CLOSED

Hello,

Local, Remote and TCP forwarding are all disabled intentionally, because those features could be used to bypass security mechanisms in place, such as accessing (network-wise) to assets that should only be accessible through the bastion's logic, and bypassing full traceability, as in that case the bastion wouldn't know what's going on inside the local/remote/tcp forwards.

Now, the settings change you tried didn't work because the bastion is doing a protocol break, and when you're connecting to a remote server through it, there are actually 2 distinct SSH connections taking place, one between you and the bastion, and another one (started by the bastion on your behalf) between the bastion and the remote server, then those 2 connections are transparently "plugged" together. The -L you're trying to use would only apply to the first connection, so it would expose the port 9090 of the bastion itself, not the port of the remote server. For this to work, a double port forward should take place: the bastion should also do a -L to connect to the remote server. But as the bastion is a shared asset between a lot of accounts and teams, such ports forwards happening on the bastion could collide and users might be able to access port forwards opened by others, so that would be a security issue. This issue doesn't exist with a direct connection because there's no shared asset in the middle.

from the-bastion.

Thanks for this great explanation why port forwarding can't work.

About the need of accessing an http server from a non-exposed to internet machine, I will have to find something else.

from the-bastion.