Mailing List Archive

Securing an ssh key for remote port forward only
I'm giving a nephew his first linux computer, and I want to be able to
connect to it remotely reliably if he runs into trouble, given the
potential for travel restrictions in the US.

I set up an ssh key on this laptop and an account for it on a vps of mine.

I installed the ssh key on the vps, and am planning to wrap autossh in a
systemd script. So that any time the system is booted, it will try to keep
alive the ssh connection back to my VPS. And that ssh connection will use
-R 12345:localhost:22 so that from my vps, I can ssh to his laptop through
the reverse port forward.

This will avoid him having to negotiate port forwarding. And it will be
dependent on no 3rd party services that could change over time. As long as
he "can get on the internet" by clicking around networkmanager, it should
just connect in the background and stay connected.

But I don't want that key to be able to do anything else on my VPS.
(shell/or socks proxy regular port forwards. I've done similar locked keys
before for other purposes, but never for a reverse port forward.

So I looked through some documentation, googled a bit, and found:

command="echo 'Port forwarding only
account.'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:8080",permitopen="127.0.0.1:8080"
ssh-rsa AAAA-blahblahblahb

I learned that if I follow no-port-forwarding with a permitopen in
authorized-keys it creates specific allowed port forwards and all others
will be denied. That sounds like what I want. But it was for
regular/forward/-L port forwarding. What I need is a version of permitopen
for reverse/-R port forwarding.

I tried permitbind and permitlisten, and those were both nonexistant. I
searched for a manpage for authorized_keys and didn't find out, but I did
find a post on this very mailing list years ago asking for one. I ran sshd
through gnu strings and looked for strings adjacent to permitopen that I
might try, and nada.

How can I accomplish this?
(let an ssh key open specific remote port forwards but no local ports
forwards, and no non-listed remotes)

I'd rather not run a seperate vm/public ip just for this, or a seperate
sshd instance in a selinux-limited chroot jail or something crazy like
that. I'd really like to solve the key/account lockdown in the authkeys
file, or sshd config
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Securing an ssh key for remote port forward only [ In reply to ]
In your VPS sshd_config, you can put the following:

Match User myNephew
MaxSessions 0 # ZERO -- no login sessions allowed
PermitOpen none # User can not connect to any listening ports
PermitListen localhost:12345 # User can listen from this server port
ClientAliveInterval 300 # Make sure we have heard from the
nephew recently
PasswordAuthentication no

Some options may depend on the OpenSSH version you are running on your VPS.

On Sat, 1 Aug 2020 at 16:54, Billy Croan <Billy@croan.org> wrote:
>
> I'm giving a nephew his first linux computer, and I want to be able to
> connect to it remotely reliably if he runs into trouble, given the
> potential for travel restrictions in the US.
>
> I set up an ssh key on this laptop and an account for it on a vps of mine.
>
> I installed the ssh key on the vps, and am planning to wrap autossh in a
> systemd script. So that any time the system is booted, it will try to keep
> alive the ssh connection back to my VPS. And that ssh connection will use
> -R 12345:localhost:22 so that from my vps, I can ssh to his laptop through
> the reverse port forward.
>
> This will avoid him having to negotiate port forwarding. And it will be
> dependent on no 3rd party services that could change over time. As long as
> he "can get on the internet" by clicking around networkmanager, it should
> just connect in the background and stay connected.
>
> But I don't want that key to be able to do anything else on my VPS.
> (shell/or socks proxy regular port forwards. I've done similar locked keys
> before for other purposes, but never for a reverse port forward.
>
> So I looked through some documentation, googled a bit, and found:
>
> command="echo 'Port forwarding only
> account.'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:8080",permitopen="127.0.0.1:8080"
> ssh-rsa AAAA-blahblahblahb
>
> I learned that if I follow no-port-forwarding with a permitopen in
> authorized-keys it creates specific allowed port forwards and all others
> will be denied. That sounds like what I want. But it was for
> regular/forward/-L port forwarding. What I need is a version of permitopen
> for reverse/-R port forwarding.
>
> I tried permitbind and permitlisten, and those were both nonexistant. I
> searched for a manpage for authorized_keys and didn't find out, but I did
> find a post on this very mailing list years ago asking for one. I ran sshd
> through gnu strings and looked for strings adjacent to permitopen that I
> might try, and nada.
>
> How can I accomplish this?
> (let an ssh key open specific remote port forwards but no local ports
> forwards, and no non-listed remotes)
>
> I'd rather not run a seperate vm/public ip just for this, or a seperate
> sshd instance in a selinux-limited chroot jail or something crazy like
> that. I'd really like to solve the key/account lockdown in the authkeys
> file, or sshd config
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev