Forwarding a service §foo from my homeserver to a public server with a poor mans VPN was already described here. This is the followup to restrict the user which is in use on the server which runs the subdomains and the publishing webserver.
Create User on the VPS
root@vps:~# useradd foo -d /home/foo/ -s /bin/bash root@vps:~# mkdir /home/foo root@vps:~# chown foo:foo /home/foo root@vps:~# su foo foo@vps:/root$ cd foo@vps:/home/foo/ foo@vps:/home/foo$ mkdir .ssh foo@vps:/home/foo$ chmod 0700 .ssh foo@vps:/home/foo$ cd .ssh foo@vps:/home/foo/.ssh$ ssh-keygen -t rsa -b 4096 foo@vps:/home/foo$ exit root@vps:~# usermod -s /usr/sbin/nologin foo root@vps:~# passwd -d foo
as explained in my previous post
Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. The default is ''.ssh/authorized_keys''.
Specifies whether password authentication is allowed. The default is ''yes''.
Applying the restrictions
The server configuration file is in the directory /etc/ssh/sshd_config. User specific settings can be added at the end of the file.
Match User foo AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no AllowAgentForwarding no PermitOpen localhost:62222 ForceCommand echo 'This account can only be used for reverse tunnel only'
Specifies whether TCP forwarding is permitted. The default is ''yes''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
Specifies whether X11 forwarding is permitted. The argument must be ''yes'' or ''no''. The default is ''no''.
Specifies whether tun(4) device forwarding is allowed. The argument must be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or ''no''. Specifying ''yes'' permits both ''point-to-point'' and ''ethernet''. The default is ''no''.
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be ''no'' to force remote port forwardings to be available to the local host only, ''yes'' to force remote port forwardings to bind to the wildcard address, or ''clientspecified'' to allow the client to select the address to which the forwarding is bound. The default is ''no''.
Specifies whether ssh-agent(1) forwarding is permitted. The default is ''yes''. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms: PermitOpen host:port PermitOpen IPv4_addr:port PermitOpen [IPv6_addr]:port Multiple forwards may be specified by separating them with whitespace. An argument of ''any'' can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of ''internal-sftp'' will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory.