My point is I simply want them to be able to start the tunnel
and nothing else. If on the server side they "ssh -R ...." command
is executing the server side operation, I would like that to be
the only command available: command="/usr/bin/ssh", ....
rather than giving another opportunity for a hack through
a Perl interpreter, Bash shell or other.
Actually, using command="/bin/false" seems to work for me -
lets me open up the tunnel, without allowing any shell commands.
Unfortunately, permitopen="129.37.16.40:8086", command=xxxx
does not seem to restrict the client to only that IP & port, which I
guess is because it's set up for "ssh -L" on the local (server) side,
not for an "ssh -R" from the remote (client) side.
The Doctor wrote:
So long as they are using keys you could put a command in front of the
key forcing only that action.
ex.
authorized_keys:
command="~/open_port.sh", ssh-rsa AAAAB3NzaC1yc2EAAAA...
Peters way seems to cut out some middle men, and might be better
security wise.
Cheers,
Michael
Peter Valdemar Mørch (Lists) wrote:
What I did was create /usr/bin/ports.pl that contains:
#!/usr/bin/perl -w
print "This account can only be used to forward ports\n";
<STDIN>;
and just that. For the user in question, set up his/her shell to be
/usr/bin/ports.pl (instead of /bin/bash or whatever). That way, when the
user logs in in, they cannot do anything other than type enter to exit.
Works for me, and is short enough that there aren't any security issues
with it. (Can anybody see any that I've missed?)
Peter
