SSHD: Dynamic deny port forwarding

From the current ssh session on a server, what -L params did the client specify?

I am trying to build a jumphost using sshd that can be used for port forwarding. The goal is to be able to get into a secure zone and forward the RDP port out so remote desktop can be used.

On my workstation I want to run

ssh -NL 1234:my-server:3389 the-jumphost

then connect my RDP client to localhost:1234 (or VNC or $whatever_app).

I want to further lock things down to only allow the port forward to hosts that the user has access to in a separate system. The problem I'm trying to solve is I don't want someone to ssh -NL 1234:sensitive-server:5900 the-jumphost then have network access to a service they shouldn't. To support this, let's say I have a CLI I can run on my jumphost can_access $user $host.

At login time (or post login time), how can I tell what the port forwarding options are for an incoming connection. The closest I've gotten is to put something in PAM

auth required pam_exec.so seteuid /is_valid_port_forward

But I cannot figure out how to tell what port forwards are being set up. How can I do this?

Some additional context:

I have services network isolated from each other so if you log into my-server, you cannot talk to sensitive-server. However if you log into the jumphost, you can do anything you want to sensitive-server. The other thing I'm doing is locking down ssh itself with the can_access script.

In terms of numbers, I have about 10,000 users logging into ~40,000 hosts on ~1,000 separate networks fronted by 10's of jumphosts behind a DNS load balancer. Building up PermitOpen lists is not feasible hence the need to do this dynamically.

SSH doesn't provide a built-in way to determine the -L (local port forwarding) parameters from within the SSH session itself. However, you can leverage SSHD's logging feature to get this information. By setting LogLevel VERBOSE in your sshd_config file, SSHD will log port forwarding events.

For example, when a client sets up port forwarding, SSHD logs a message like this:

debug1: Local connections to LOCALHOST:5901 forwarded to remote address 127.0.0.1:5901

You can monitor these logs to identify port forwarding activities. However, this is a reactive approach and won't prevent unauthorized port forwarding.

For a proactive approach, consider using the PermitOpen option in sshd_config. This option lets you specify which host:port pairs clients can forward to. You can set this globally, or on a per-user or per-group basis.

For example:

'Match User jdoe PermitOpen my-server:3389'

This configuration allows only user jdoe to set up port forwarding to my-server on port 3389. Attempts to forward to other hosts or ports will be denied.

If you need dynamic control over which host:port pairs a user can forward to, you could use a Match block with a ForceCommand directive to run a script at login. This script could query your can_access system to determine the allowed host:port pairs, and then dynamically generate a PermitOpen directive for the user's session.

However, this approach is complex and potentially error-prone. It requires custom scripting and thorough testing.