Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Selectively allowing port forwards
openssh-unix-dev.mindrot.org at marc-haber
Apr 3, 2000, 9:39 AM
Post #1 of 2 (418 views)
Permalink
Hi!

The current version of sshd allows to restrict keys to issue only
specific commands. However, port forwarding can only be forbidden
entirely.

Given the following situation: A client C uses S as a POP3 server. We
want to poll E-Mail via POP3 from S to A via an ssh tunnel without
being asked for a password. Thus, we create a passphrase-less key pair
on A, transmit the public key to S and insert it into
~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
the connection open while the poll is doing through via a forwarded
port.

That way, one taking posession of the private key can "only" use S for
arbitrary port forwards and do not have shell access to S.

I feel it would be desireable to restrict a key to "only do port
forwards to localhost:110". Would it be possible to have something
like that implemented in a future release?

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Re: Selectively allowing port forwards [ In reply to ]
djm at mindrot
Apr 3, 2000, 8:10 PM
Post #2 of 2 (399 views)
Permalink
On Mon, 3 Apr 2000, Marc Haber wrote:

> Hi!
>
> The current version of sshd allows to restrict keys to issue only
> specific commands. However, port forwarding can only be forbidden
> entirely.
>
> Given the following situation: A client C uses S as a POP3 server. We
> want to poll E-Mail via POP3 from S to A via an ssh tunnel without
> being asked for a password. Thus, we create a passphrase-less key pair
> on A, transmit the public key to S and insert it into
> ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep
> the connection open while the poll is doing through via a forwarded
> port.
>
> That way, one taking posession of the private key can "only" use S for
> arbitrary port forwards and do not have shell access to S.
>
> I feel it would be desireable to restrict a key to "only do port
> forwards to localhost:110". Would it be possible to have something
> like that implemented in a future release?

I have been toying with the idea of implementing Keynote[1] policies
as a substitute for authorized_keys.

Keynote is nice because it solves the delegation problem well, but I
couldn't figure out a way to cleanly support forced commands and port
forward restrictions with the current Keynote language.

-d

[1] http://www.cis.upenn.edu/~angelos/keynote.html
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal