Allow user to set up an SSH tunnel, but nothing else

Question

I\'d like to allow a user to set up an SSH tunnel to a particular machine on a particular port (say, 5000), but I want to restrict this user as much as possible. (Authentica

Answer 1

I'm able to set up the authorized_keys file with the public key to log in. What I'm not sure about is the additional information I need to restrict what that account is allowed to do. For example, I know I can put commands such as:

no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding

You would want a line in your authorized_keys file that looks like this.

permitopen="host.domain.tld:443",no-pty,no-agent-forwarding,no-X11-forwardi
ng,command="/bin/noshell.sh" ssh-rsa AAAAB3NzaC.......wCUw== zoredache 

Answer 2

Here you have a nice post that I found useful: http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/

The idea is: (with the new restricted username as "sshtunnel")

useradd sshtunnel -m -d /home/sshtunnel -s /bin/rbash
passwd sshtunnel

Note that we use rbash (restricted-bash) to restrict what the user can do: the user cannot cd (change directory) and cannot set any environment variables.

Then we edit the user's PATH env variable in /home/sshtunnel/.profile to nothing - a trick that will make bash not find any commands to execute:

PATH=""

Finally we disallow the user to edit any files by setting the following permissions:

chmod 555 /home/sshtunnel/
cd /home/sshtunnel/
chmod 444 .bash_logout .bashrc .profile

Answer 3

Besides authorized_keys option like no-X11-forwarding, there actually is exactly one you are asking for: permitopen="host:port". By using this option, the user may only set up a tunnel to the specified host and port.

For the details of the AUTHORIZED_KEYS file format refer to man sshd.

Answer 4

On Ubuntu 11.10, I found I could block ssh commands, sent with and without -T, and block scp copying, while allowing port forwarding to go through.

Specifically I have a redis-server on "somehost" bound to localhost:6379 that I wish to share securely via ssh tunnels to other hosts that have a keyfile and will ssh in with:

$ ssh -i keyfile.rsa -T -N -L 16379:localhost:6379 someuser@somehost

This will cause the redis-server, "localhost" port 6379 on "somehost" to appear locally on the host executing the ssh command, remapped to "localhost" port 16379.

On the remote "somehost" Here is what I used for authorized_keys:

cat .ssh/authorized_keys   (portions redacted)

no-pty,no-X11-forwarding,permitopen="localhost:6379",command="/bin/echo do-not-send-commands" ssh-rsa rsa-public-key-code-goes-here keyuser@keyhost

The no-pty trips up most ssh attempts that want to open a terminal.

The permitopen explains what ports are allowed to be forwarded, in this case port 6379 the redis-server port I wanted to forward.

The command="/bin/echo do-not-send-commands" echoes back "do-not-send-commands" if someone or something does manage to send commands to the host via ssh -T or otherwise.

From a recent Ubuntu man sshd, authorized_keys / command is described as follows:

command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored.

Attempts to use scp secure file copying will also fail with an echo of "do-not-send-commands" I've found sftp also fails with this configuration.

I think the restricted shell suggestion, made in some previous answers, is also a good idea. Also, I would agree that everything detailed here could be determined from reading "man sshd" and searching therein for "authorized_keys"