How can an SSH command be setup to allow port forwarding but not execute commands.
I know that the ssh login can use -N to stop commands executing, but can the ssh config file be setup to disallow it?
Restricting the type of shell and the path in Linux is on option, but can it be done in the SSH configuration itself?
-
this article should set you in the right path
http://www.semicomplete.com/articles/ssh-security/
From eric -
Look at
man sshdand search forAUTHORIZED_KEYS FILE FORMATWhat you want to do is create a public/private key pair, and put the public key in the
~/.ssh/authorized_keysfile as normal. Then edit theauthorized_keysfile to add the string:command="/bin/false",no-agent-forwarding,no-pty,no-usr-rc,no-X11-forwarding,permitopen="127.0.0.1:80"
It will end up looking kind of like:
command="/bin/false",no-agent-forwarding,no-pty,no-usr-rc,no-X11-forwarding,permitopen="127.0.0.1:80" ssh-dss AAAAC3...51R==You would want to change the argument to 'permitopen' and possibly change some of the other settings, but I think that's basically it.
vfclists : I guess the permitopen sets the local ports that can be forwarded from the users end. Does it affect remote port forwarding? Does it apply only to that key?Slartibartfast : The authorized_keys file is on the remote (ssh server) end. It indicates host+port combinations that clients with the authorized key are allowed to connect to via the server. The port that you use on the local (ssh client) side is irrelevant (and probably not communicated to the server), so it is omitted. Yes, it applies only to that key (which is why it is listed on the same line as the public key corresponding to the key that is permitted)From Slartibartfast
0 comments:
Post a Comment