Re: sshd port forwarding with no shell? chroot/jail?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




My point is I simply want them to be able to start the tunnel
and nothing else. If on the server side they "ssh -R ...." command
is executing the server side operation, I would like that to be
the only command available: command="/usr/bin/ssh", ....
rather than giving another opportunity for a hack through
a Perl interpreter, Bash shell or other.

Actually, using command="/bin/false" seems to work for me -
lets me open up the tunnel, without allowing any shell commands.

Unfortunately, permitopen="129.37.16.40:8086", command=xxxx
does not seem to restrict the client to only that IP & port, which I
guess is because it's set up for "ssh -L" on the local (server) side,
not for an "ssh -R" from the remote (client) side.


The Doctor wrote:
So long as they are using keys you could put a command in front of the key forcing only that action.

ex.
authorized_keys:
command="~/open_port.sh", ssh-rsa AAAAB3NzaC1yc2EAAAA...

Peters way seems to cut out some middle men, and might be better security wise.

Cheers,
Michael

Peter Valdemar Mørch (Lists) wrote:
What I did was create /usr/bin/ports.pl that contains:

#!/usr/bin/perl -w
print "This account can only be used to forward ports\n";
<STDIN>;

and just that. For the user in question, set up his/her shell to be
/usr/bin/ports.pl (instead of /bin/bash or whatever). That way, when the
user logs in in, they cannot do anything other than type enter to exit.

Works for me, and is short enough that there aren't any security issues
with it. (Can anybody see any that I've missed?)

Peter






[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux