Preventing shell access - tunnel only
James Taylor
I want to allow users to set up a RemoteForward tunnel from my ssh
server (ie. with a listening port on my server that goes back to the
user) but I do not wish them to be able to get shell access on my
server, or run arbitrary commands, and I don't much like the idea of
them being able to create LocalForwards that allow them to tunnel
anything they like through my server.
What do I need to know to restrict users in this way?
Does anyone know?
--
James Taylor
James Taylor
> search for /bin/false and nologin. Basically you change the shell from
> e.g. /bin/bash to /bin/false for the specified user.
I tried that, but the ssh connection terminates immediately. I need it
to stay connected so that the tunnel remains established. Maybe there is
another way, such as a ~/.ssh/config option?
Any ideas?
> About restricting LocalForwards, no idea. Maybe iptables?
Hmmm, how would you use iptables to restrict connections outbound from
my server that came from that particular users ssh connection without
preventing other outbound connections, or preventing the users
legitimate ssh tunnel inbound connection?
--
James Taylor
Andreas Moroder
it depends all on the version you have installed.
In newer versions you can use
match user USERNAME
and then
AllowTcpForwarding
and
PermitOpen
read more at
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
Bye
Andreas
Patrick Kolesa
> it to stay connected so that the tunnel remains established. Maybe
> there is another way, such as a ~/.ssh/config option?
James Taylor
I'm trying to allow the user to give me a tunnel that I can use to
connect back to them through any NAT at their end while NOT allowing
them to access my computer for anything else.
In the end I found an sshd_config setting called ForceCommand which I
can put in a Match User block for the tunnel user, and the command I've
forced is simply cat > /dev/null. This achieves the effect of -N in
addition to restricting them. Is there a neater way?
--
James Taylor