You are not logged in.
- Topics: Active | Unanswered
#1 2009-07-20 10:54:58
- Jonhoo
- Member
- Registered: 2009-05-23
- Posts: 118
SSHd: Allowing a user only tcp forwarding access
Hello fellow archers!
I have a server running the latest Arch version of the OpenSSH daemon, and it's working great. However, I would like to create a user which only has the option of forwarding TCP connections ( i.e. use the server as a proxy ), and as little local file system access as possible...
Ideally, some sort of a chroot with TCP forwarding on just for that one user would be the ideal, however after googling a bit around, chrooting SSH users seems to be no simple business.
Anyone got a suggestion as to how I might accomplish this?
Jon
Offline
#2 2009-07-22 18:59:45
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: SSHd: Allowing a user only tcp forwarding access
Look through man sshd, section "AUTHORIZED_KEYS FILE FORMAT" -- you'll see some hints 
Offline
#3 2009-07-22 19:28:31
- Jonhoo
- Member
- Registered: 2009-05-23
- Posts: 118
Re: SSHd: Allowing a user only tcp forwarding access
Hmm.. As far as I can gather, I can for example set command="/bin/false", or would that prevent the login in the first place?
Maybe using the no-pty option is better, but will this also cause the same problem? Windows clients like PuTTy always attempt to spawn a terminal AFAIK, and will it not simply close the connection if it cannot?
I do not use certificates/keys, but simple login ( for convenience, so that I can log in from anywhere. Or is there a simple way of doing this? ), and the Authorized_keys file seems only to allow public key authentication?
Last edited by Jonhoo (2009-07-22 19:29:52)
Offline
#4 2009-07-22 21:18:38
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: SSHd: Allowing a user only tcp forwarding access
Set it to 'sleep 60' -- you'll have 60 seconds to open the tunnel, should be enough. I'm afraid I cannot test any Windows client at the moment...
But, if you do not use key based auth, then of course authorized_keys won't help; maybe try to use ForceCommand with Match in sshd_config? I didn't try it myself though, I had suggested authorized_keys because this is the way I had done it before.
Offline
#5 2009-07-22 21:57:14
- Jonhoo
- Member
- Registered: 2009-05-23
- Posts: 118
Re: SSHd: Allowing a user only tcp forwarding access
Hmm.. Yeah, that might work.. But won't the tunnel close after 60 seconds then?
Offline
#6 2009-07-23 22:20:38
- Jonhoo
- Member
- Registered: 2009-05-23
- Posts: 118
Re: SSHd: Allowing a user only tcp forwarding access
Bump.
Offline
#7 2009-07-25 16:28:06
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: SSHd: Allowing a user only tcp forwarding access
Just try it But it should not close, see "TCP FORWARDING" section in man ssh, there is an example with 'sleep 10' and following comment:
the remote command ``sleep 10'' is specified to allow an amount of time (10 seconds, in the example) to start the service which is to be tunnelled. If no connections are made within the time specified, ssh will exit.
-- so, you have to open tunneled connection within time specified, but then it will go on. Or simply use sleep 86400
Offline
#8 2009-07-25 16:52:28
- arkham
- Member
- From: Stockholm
- Registered: 2008-10-26
- Posts: 516
- Website
Re: SSHd: Allowing a user only tcp forwarding access
Hello fellow archers!
I have a server running the latest Arch version of the OpenSSH daemon, and it's working great. However, I would like to create a user which only has the option of forwarding TCP connections ( i.e. use the server as a proxy ), and as little local file system access as possible...
Ideally, some sort of a chroot with TCP forwarding on just for that one user would be the ideal, however after googling a bit around, chrooting SSH users seems to be no simple business.Anyone got a suggestion as to how I might accomplish this?
Jon
ssh has already implemented some nice tricks to create a socks proxy: it basically opens up a connection to the destination ssh server and create a socks proxy with a listening port or your source computer. All you have to do is launch
ssh -ND LOCAL_PORT USER@IPAnd for example, configure firefox with socks proxy address 127.0.0.1 and port PORT. Enjoy
"I'm Winston Wolfe. I solve problems."
~ Need moar games? [arch-games] ~ [aurcheck] AUR haz updates? ~
Offline
#9 2009-07-25 17:26:01
- Jonhoo
- Member
- Registered: 2009-05-23
- Posts: 118
Re: SSHd: Allowing a user only tcp forwarding access
Yes, but again, I want these users to only have access to socks forwarding, and not any form of shell access.. Is this possible?
Offline
#10 2009-07-25 17:31:58
- lifeafter2am
- Member
- From: 127.0.0.1
- Registered: 2009-06-10
- Posts: 1,332
Re: SSHd: Allowing a user only tcp forwarding access
You could do this with OpenVPN you know. 
#binarii @ irc.binarii.net
Matrix Server: https://matrix.binarii.net
-------------
Allan -> ArchBang is not supported because it is stupid.
Offline
#11 2009-07-25 19:18:05
- Jonhoo
- Member
- Registered: 2009-05-23
- Posts: 118
Re: SSHd: Allowing a user only tcp forwarding access
Well, yes, probably, but I already have an SSH daemon running, and I know it can handle exactly what I need, so would be great to find out how...
Offline