Allow user to set up an SSH tunnel, but nothing el

2019-01-29 18:16发布

站内问答 / 移动开发
1167 10 6

I'd like to allow a user to set up an SSH tunnel to a particular machine on a particular port (say, 5000), but I want to restrict this user as much as possible. (Authentication will be with public/private keypair).

I know I need to edit the relevant ~/.ssh/authorized_keys file, but I'm not sure exactly what content to put in there (other than the public key).

标签: unix ssh
举报
10条回答
姐就是有狂的资本
2楼-- · 2019-01-29 18:17

See this post on authenticating public keys.

The two main things you need to remember are:

  1. Make sure you chmod 700 ~/.ssh
  2. Append the public key block to authorized-keys
查看更多
0人赞 添加讨论(0) 举报
姐就是有狂的资本
3楼-- · 2019-01-29 18:24

You'll probably want to set the user's shell to the restricted shell. Unset the PATH variable in the user's ~/.bashrc or ~/.bash_profile, and they won't be able to execute any commands. Later on, if you decide you want to allow the user(s) to execute a limited set of commands, like less or tail for instance, then you can copy the allowed commands to a separate directory (such as /home/restricted-commands) and update the PATH to point to that directory.

查看更多
0人赞 添加讨论(0) 举报
家丑人穷心不美
4楼-- · 2019-01-29 18:25

I made a C program which looks like this:

#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
void sig_handler(int signo)
{
    if (signo == SIGHUP)
        exit(0);
}

int main()
{
    signal(SIGINT, &sig_handler);
    signal(SIGTSTP, &sig_handler);

    printf("OK\n");
    while(1)
        sleep(1);
    exit(0);
}

I set the restricted user's shell to this program.

I don't think the restricted user can execute anything, even if they do ssh server command, because the commands are executed using the shell, and this shell does not execute anything.

查看更多
0人赞 添加讨论(0) 举报
孤傲高冷的网名
5楼-- · 2019-01-29 18:28

I'm able to set up the authorized_keys file with the public key to log in. What I'm not sure about is the additional information I need to restrict what that account is allowed to do. For example, I know I can put commands such as:

no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding

You would want a line in your authorized_keys file that looks like this.

permitopen="host.domain.tld:443",no-pty,no-agent-forwarding,no-X11-forwardi
ng,command="/bin/noshell.sh" ssh-rsa AAAAB3NzaC.......wCUw== zoredache
查看更多
0人赞 添加讨论(0) 举报
三岁会撩人
6楼-- · 2019-01-29 18:30

You will generate a key on the users machine via whatever ssh client they are using. pUTTY for example has a utility to do this exact thing. It will generate both a private and public key.

The contents of the public key file generated will be placed in the authorized_keys file.

Next you need to make sure that the ssh client is configured to use the private key that generated the public key. It's fairly straight forward, but slightly different depending on the client being used.

查看更多
0人赞 添加讨论(0) 举报
我欲成王,谁敢阻挡
7楼-- · 2019-01-29 18:31

If you want to do allow access only for a specific command -- like svn -- you can also specify that command in the authorized keys file:

command="svnserve -t",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding [KEY TYPE] [KEY] [KEY COMMENT]

From http://svn.apache.org/repos/asf/subversion/trunk/notes/ssh-tricks

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)