SSH Forward port onlu - SSH

This is a discussion on SSH Forward port onlu - SSH ; Hi everyone. I would like to configure OpenSSH that way, that user can login only using keys and he can only for example tunnel one port from local machine to remote. It is possible - if yes - how (where ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: SSH Forward port onlu

  1. SSH Forward port onlu

    Hi everyone.

    I would like to configure OpenSSH that way, that user can login only
    using keys and he can only for example tunnel one port from local
    machine to remote.

    It is possible - if yes - how (where can I find information about
    that)?

    Details:

    HOST ----- INTERNET ---- SERVER with SSH

    Now, HOST should have access to SERVER only by keys (not interactive)
    etc, and it would like to make port tunelling.

    For example:
    HOST:3306 ---- Remote 3306 (MySQL) - so it will connect to remote
    MySQL by crypted tunnell - but not other access should be given.

    Marcin Praczko.


  2. Re: SSH Forward port onlu

    On 2007-09-04, marcin.praczko@googlemail.com wrote:
    > I would like to configure OpenSSH that way, that user can login only
    > using keys and he can only for example tunnel one port from local
    > machine to remote.
    >
    > It is possible - if yes - how (where can I find information about
    > that)?


    Both of those things are possible with OpenSSH.

    There's 2 ways to do it. The first method ("Match") needs a recent
    version (4.6 or the just-released 4.7) but is relatively easy to set up.
    The second (key restrictions in authorized_keys) will work with pretty
    much any version, but requires some care to prevent the user from
    subverting it.

    First, you can apply directives on a per-user or per-host basis by using
    the "Match" directive in sshd_config. Any directives following a Match
    apply only to connections that meet the specified criteria.

    Next, you can control which authentications are offered by way of the
    *Authentication directives. To allow only public keys, set all of the
    other authentications that are enabled to "no" after the Match.

    Lastly, you can control where a user can sent port forwards to via the
    PermitOpen directive.

    These are all described in the sshd_config(5) man page.

    Putting it all together, you would end up with something like this at
    the bottom of sshd_config:

    Match User someuser
    PubkeyAuthentication yes
    PasswordAuthentication no
    # maybe some other authentications too, depending on what's enabled
    PermitOpen mysqlserver:3306

    Restart sshd and that should do it.

    If you wanted to restrict it to just one host you could do that by making
    the Match line more specific, eg:

    Match User someuser Host somehost

    Just remember:

    a) using a hostname runs the risk of someone tampering with DNS, so use
    "Match Address" instead if possible.

    b) The *first* Match that matches overrides the default, but subsequent
    matches do not, and this happens for each directive in isolation. So,
    if you wanted to allow "someuser" to use pubkey from only one host while
    allowing all other users to use pubkey from anywhere, you would need
    something like this:

    PubkeyAuthentication yes
    Match User someuser Host somehost
    PubkeyAuthentication yes
    Match User someuser
    PubkeyAuthentication no


    The second method (key restrictions in authorized_keys) works for version
    older than 4.6. See the sshd(8) man page and look for "permitopen="
    and "from=". You will also have to take steps to make sure that the
    user can't edit the authorized_keys file.

    The only way to prevent the user from using password authentication is
    to either edit the password file and set an invalid password string,
    or set a strong password and don't tell the user what it is.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread