restricted user for ssh reverse port forward

Forwarding a service §foo from my homeserver to a public server with a poor mans VPN was already described here. This is the followup to restrict the user which is in use on the server which runs the subdomains and the publishing webserver.

Create User on the VPS

root@vps:~# useradd foo -d /home/foo/ -s /bin/bash
root@vps:~# mkdir /home/foo
root@vps:~# chown foo:foo /home/foo
root@vps:~# su foo
foo@vps:/root$ cd
foo@vps:/home/foo$ mkdir .ssh 
foo@vps:/home/foo$ chmod 0700 .ssh 
foo@vps:/home/foo$ cd .ssh 
foo@vps:/home/foo/.ssh$ ssh-keygen -t rsa -b 4096 
foo@vps:/home/foo$ exit
root@vps:~# usermod -s /usr/sbin/nologin foo
root@vps:~# passwd -d foo



enable Public-Key Authentication && disable Passwords

as explained in my previous post

Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. The default is ''.ssh/authorized_keys''.
Specifies whether password authentication is allowed. The default is ''yes''.

Applying the restrictions

The server configuration file is in the directory /etc/ssh/sshd_config. User specific settings can be added at the end of the file.

Match User foo
  AllowTcpForwarding yes
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  AllowAgentForwarding no
  PermitOpen localhost:62222
  ForceCommand echo 'This account can only be used for reverse tunnel only'
Specifies whether TCP forwarding is permitted. The default is ''yes''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
Specifies whether X11 forwarding is permitted. The argument must be ''yes'' or ''no''. The default is ''no''.
Specifies whether tun(4) device forwarding is allowed. The argument must be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or ''no''. Specifying ''yes'' permits both ''point-to-point'' and ''ethernet''. The default is ''no''.
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be ''no'' to force remote port forwardings to be available to the local host only, ''yes'' to force remote port forwardings to bind to the wildcard address, or ''clientspecified'' to allow the client to select the address to which the forwarding is bound. The default is ''no''.
Specifies whether ssh-agent(1) forwarding is permitted. The default is ''yes''. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:
PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with whitespace. An argument of ''any'' can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of ''internal-sftp'' will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory.


Comments are closed.