发表新帖
发表新帖

Allow user to set up an SSH tunnel, but nothing else

后端 未结
关注
10 2014
小蘑菇
小蘑菇 2020-12-22 16:47

I\'d like to allow a user to set up an SSH tunnel to a particular machine on a particular port (say, 5000), but I want to restrict this user as much as possible. (Authentica

相关标签:
10条回答
  • 无人及你
    2020-12-22 16:56

    See this post on authenticating public keys.

    The two main things you need to remember are:

    1. Make sure you chmod 700 ~/.ssh
    2. Append the public key block to authorized-keys
    0 讨论(0)
  • 青春惊慌失措
    2020-12-22 16:57

    You will generate a key on the users machine via whatever ssh client they are using. pUTTY for example has a utility to do this exact thing. It will generate both a private and public key.

    The contents of the public key file generated will be placed in the authorized_keys file.

    Next you need to make sure that the ssh client is configured to use the private key that generated the public key. It's fairly straight forward, but slightly different depending on the client being used.

    0 讨论(0)
  • 礼貌的吻别
    2020-12-22 16:58

    You'll probably want to set the user's shell to the restricted shell. Unset the PATH variable in the user's ~/.bashrc or ~/.bash_profile, and they won't be able to execute any commands. Later on, if you decide you want to allow the user(s) to execute a limited set of commands, like less or tail for instance, then you can copy the allowed commands to a separate directory (such as /home/restricted-commands) and update the PATH to point to that directory.

    0 讨论(0)
  • 我寻月下人不归
    2020-12-22 16:58

    My solution is to provide the user who only may be tunneling, without an interactive shell, to set that shell in /etc/passwd to /usr/bin/tunnel_shell.

    Just create the executable file /usr/bin/tunnel_shell with an infinite loop.

    #!/bin/bash
trap '' 2 20 24
clear
echo -e "\r\n\033[32mSSH tunnel started, shell disabled by the system administrator\r\n"
while [ true ] ; do
sleep 1000
done
exit 0

    Fully explained here: http://blog.flowl.info/2011/ssh-tunnel-group-only-and-no-shell-please/

    0 讨论(0)
  • 情书的邮戳
    2020-12-22 16:59

    I made a C program which looks like this:

    #include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
void sig_handler(int signo)
{
    if (signo == SIGHUP)
        exit(0);
}

int main()
{
    signal(SIGINT, &sig_handler);
    signal(SIGTSTP, &sig_handler);

    printf("OK\n");
    while(1)
        sleep(1);
    exit(0);
}

    I set the restricted user's shell to this program.

    I don't think the restricted user can execute anything, even if they do ssh server command, because the commands are executed using the shell, and this shell does not execute anything.

    0 讨论(0)
  • 鱼传尺愫
    2020-12-22 17:03

    If you want to do allow access only for a specific command -- like svn -- you can also specify that command in the authorized keys file:

    command="svnserve -t",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding [KEY TYPE] [KEY] [KEY COMMENT]

    From http://svn.apache.org/repos/asf/subversion/trunk/notes/ssh-tricks

    0 讨论(0)
 看不清?
提交回复
热议问题