C.3.  Disabling port forwarding

ThinLinc relies on SSH port forwarding in order to function. However it is possible to limit that port forwarding in order to avoid unwanted network access. ThinLinc only requires forwarding via the loopback interface, so the SSH server can always be configured to only allow this without limiting ThinLinc in any way. For OpenSSH this is configured by specifying the following in sshd_config:

GatewayPorts no
PermitOpen 127.0.0.1:*

Note that it is also necessary to disable shell access in order to completely prevent users from forwarding ports as otherwise they could run their own forwarding software over the shell channel.

C.3.1.  Disabling remote port forwarding

It is possible to use ThinLinc with remote port forwarding completely disabled. However this will prevent local devices such as sound, drives and printers from functioning. In OpenSSH this is configured by adding the following to /etc/ssh/sshd_config:

AllowTcpForwarding local

It is also possible to apply this restriction only to a subset of users by using the Match setting. Please see OpenSSH's documentation for how to configure this mechanism.

Note

Local port forwarding cannot be disabled as it is required for even the basic ThinLinc functionality.