How to disable SSH TCP forwarding

SSH TCP forwarding can turn a normal login account into a tunnel through a bastion, shared shell host, or restricted network segment. Disabling it on the server side blocks OpenSSH-managed local and remote port forwards while still allowing ordinary SSH logins that do not request forwarding.

The server directive is AllowTcpForwarding in /etc/ssh/sshd_config or a file loaded by it. The value no prevents both -L local forwards and -R remote forwards for sessions that match that configuration stanza; local and remote are narrower values for environments that need only one direction blocked.

This setting only controls forwarding requested by sshd. It does not prevent a shell user from running another network client after login, and it does not disable agent, X11, or Unix-domain socket forwarding. Use it to remove SSH-managed TCP tunnels from accounts that still need shell or SFTP access, and keep a second access path open before reloading the daemon.

Steps to disable SSH TCP forwarding on the server:

Open the active sshd configuration file with administrator privileges.
```
$ sudoedit /etc/ssh/sshd_config
```
Use a drop-in under /etc/ssh/sshd_config.d/ only when /etc/ssh/sshd_config includes that directory; otherwise edit the main file.
Set the global AllowTcpForwarding directive to no before any Match blocks.
```
/etc/ssh/sshd_config
AllowTcpForwarding no
```
Change an existing active AllowTcpForwarding line instead of adding a later duplicate, because sshd_config normally uses the first value it obtains for a keyword.
Review any later Match block that applies to the same users.

A later matched stanza can override the global forwarding policy. Keep exceptions narrow and documented if a tunnel-only account must still use AllowTcpForwarding local, remote, or yes.

Related: How to configure SSH Match blocks
Test the sshd configuration syntax.
```
$ sudo sshd -t
```
No output means the configuration parsed successfully.

Related: How to test SSH server configuration
Check the effective forwarding value for a representative login.
```
$ sudo sshd -T -C user=user,host=host.example.net,addr=203.0.113.10
port 22
addressfamily any
##### snipped #####
allowtcpforwarding no
##### snipped #####
```
Use the real username and source address that should receive the disabled forwarding policy.
Reload the SSH service to apply the forwarding policy.
```
$ sudo systemctl reload ssh
```
Use sudo systemctl reload sshd on distributions that name the server unit sshd.

Related: How to manage the SSH server service with systemctl
Verify that a normal SSH command still authenticates.
```
$ ssh user@host.example.net 'echo SSH login ok'
SSH login ok
```
Run this from a separate client so the existing administrator session stays available for rollback.

Related: How to log in to an SSH server from Linux
Attempt a remote TCP forward from a separate client session.
```
$ ssh -N -o ExitOnForwardFailure=yes -R 127.0.0.1:9000:127.0.0.1:22 user@host.example.net
Error: remote port forwarding failed for listen port 9000
```
The failure confirms that the server rejected an OpenSSH TCP forwarding request. Local -L forwards are blocked by the same AllowTcpForwarding no policy, but the client may show the denial only after a local program connects to the forwarded port.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.