6.5.3 (L1) Host SSH daemon, if enabled, must not allow use of gateway ports


When enabled, the SSH daemon on the host should have the gateway ports feature disabled to prevent remote hosts from forwarding connections. This is a hardening measure to ensure that the SSH service is securely configured against potential forwarding misuses.

Disabling gateway ports is a preventative measure to avoid unauthorized forwarding by remote hosts, thus enhancing the security posture of the system. It is a prudent step in minimizing the attack surface associated with SSH service.



There are no noted functional impacts associated with this control. It is a proactive security measure designed to prevent potential misuse of SSH service forwarding capabilities, without affecting the normal operation of the host.

See Also


Item Details


References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2, CSCv7|12.4

Plugin: Unix

Control ID: 71ef3ffdd4ee202d618b636f6955347bbd8072d5ac9307bdbcfe10dfdf80c805