authbind - Binding Privileged Ports

December 06, 2025 (Last Modified: December 06, 2025)

Translations: JA

Page content

Binding Privileged Ports

In How to Write SSH Config, I introduced the following local forward setting. This setting forwards and binds the remote port 80 to the local port 8080.

Host my-con-name
    HostName xx.xx.xx.xx
    Port 22
    User my-user-name
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    LocalForward 8080 yy.yy.yy.yy:80

Port 8080 is often used as an alternative HTTP port, so this is fine, but sometimes you may want to bind directly to port 80 (HTTP).

However,

    LocalForward 80 yy.yy.yy.yy:80

does not work as expected.

You will get an error like this:

bind [127.0.0.1]:80: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 80

The reason is that ports 0 to 1023 are called privileged ports, and regular users do not have permission to bind to them. Only root can bind to these ports.

These ports (0 to 1023) are also called system ports, and were once known as well-known ports. This range is reserved by IANA for standard services, so the OS restricts access.

You might think you can just do:

sudo ssh my-con-name

But if you do this, your user’s SSH Config will not be read, so it doesn’t work well.

You can easily work around this by using a tool called authbind.

sudo apt install authbind

After installing, for example, you can grant the current user permission to bind to port 80 as follows:

# Grant port 80 to a specific user
sudo touch /etc/authbind/byport/80
sudo chown $USER /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80

Then,

authbind ssh my-con-name

And just like magic, you can bind privileged ports with user privileges.