Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
sshd port forwarding with no shell? chroot/jail?
dcbill at volny
May 7, 2009, 11:37 AM
Post #1 of 5 (6217 views)
Permalink
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007

I'd like to allow a client with an authorized key
to start port forwarding on a server to his machine
without actually needing to log in or do anything
on the machine, or more I'd prefer there be no
access except starting the forwarding when the
client demands it.

I tried just setting up the chroot with no files
copied into the chrooted tree, just the auth keys
(actually those seem to work fine even outside
the chroot). Is there an option to let the port
forwarding/tunnel start up without anything else?
Is there a minimum of system files I still have to
copy into the chroot?

Additionally, I tried 'permitopen "host:port"....' specifying the client
side
doing a remote port forward, but doesn't have any effect.
Any way to specify an allowed IP:port for a remote
tunnel, or this is only good for local -L tunnels?

Thanks.
Re: sshd port forwarding with no shell? chroot/jail? [ In reply to ]
4ux6as402 at sneakemail
May 8, 2009, 3:34 AM
Post #2 of 5 (6087 views)
Permalink
What I did was create /usr/bin/ports.pl that contains:

#!/usr/bin/perl -w
print "This account can only be used to forward ports\n";
<STDIN>;

and just that. For the user in question, set up his/her shell to be
/usr/bin/ports.pl (instead of /bin/bash or whatever). That way, when the
user logs in in, they cannot do anything other than type enter to exit.

Works for me, and is short enough that there aren't any security issues
with it. (Can anybody see any that I've missed?)

Peter
--
Peter Valdemar Mørch
http://www.morch.com
RE: sshd port forwarding with no shell? chroot/jail? [ In reply to ]
psnizek at ee
May 8, 2009, 4:55 AM
Post #3 of 5 (6110 views)
Permalink
try ForceCommand in a Match block.
in the Match block you can also use ChrootDirectory.

see man sshd_config, search for Match

Good luck,
Philipp





> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Bill Eldridge
> Sent: Thursday, May 07, 2009 8:38 PM
> To: secureshell@securityfocus.com
> Subject: sshd port forwarding with no shell? chroot/jail?
>
>
> OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
>
> I'd like to allow a client with an authorized key
> to start port forwarding on a server to his machine
> without actually needing to log in or do anything
> on the machine, or more I'd prefer there be no
> access except starting the forwarding when the
> client demands it.
>
> I tried just setting up the chroot with no files
> copied into the chrooted tree, just the auth keys
> (actually those seem to work fine even outside
> the chroot). Is there an option to let the port
> forwarding/tunnel start up without anything else?
> Is there a minimum of system files I still have to
> copy into the chroot?
>
> Additionally, I tried 'permitopen "host:port"....' specifying the
> client
> side
> doing a remote port forward, but doesn't have any effect.
> Any way to specify an allowed IP:port for a remote
> tunnel, or this is only good for local -L tunnels?
>
> Thanks.
Re: sshd port forwarding with no shell? chroot/jail? [ In reply to ]
mdipietro at isensix
May 8, 2009, 4:30 PM
Post #4 of 5 (6079 views)
Permalink
So long as they are using keys you could put a command in front of the
key forcing only that action.

ex.
authorized_keys:
command="~/open_port.sh", ssh-rsa AAAAB3NzaC1yc2EAAAA...

Peters way seems to cut out some middle men, and might be better
security wise.

Cheers,
Michael

Peter Valdemar Mørch (Lists) wrote:
> What I did was create /usr/bin/ports.pl that contains:
>
> #!/usr/bin/perl -w
> print "This account can only be used to forward ports\n";
> <STDIN>;
>
> and just that. For the user in question, set up his/her shell to be
> /usr/bin/ports.pl (instead of /bin/bash or whatever). That way, when the
> user logs in in, they cannot do anything other than type enter to exit.
>
> Works for me, and is short enough that there aren't any security issues
> with it. (Can anybody see any that I've missed?)
>
> Peter
Re: sshd port forwarding with no shell? chroot/jail? [ In reply to ]
dcbill at volny
May 11, 2009, 12:19 AM
Post #5 of 5 (6087 views)
Permalink
My point is I simply want them to be able to start the tunnel
and nothing else. If on the server side they "ssh -R ...." command
is executing the server side operation, I would like that to be
the only command available: command="/usr/bin/ssh", ....
rather than giving another opportunity for a hack through
a Perl interpreter, Bash shell or other.

Actually, using command="/bin/false" seems to work for me -
lets me open up the tunnel, without allowing any shell commands.

Unfortunately, permitopen="129.37.16.40:8086", command=xxxx
does not seem to restrict the client to only that IP & port, which I
guess is because it's set up for "ssh -L" on the local (server) side,
not for an "ssh -R" from the remote (client) side.


The Doctor wrote:
> So long as they are using keys you could put a command in front of the
> key forcing only that action.
>
> ex.
> authorized_keys:
> command="~/open_port.sh", ssh-rsa AAAAB3NzaC1yc2EAAAA...
>
> Peters way seems to cut out some middle men, and might be better
> security wise.
>
> Cheers,
> Michael
>
> Peter Valdemar Mørch (Lists) wrote:
>> What I did was create /usr/bin/ports.pl that contains:
>>
>> #!/usr/bin/perl -w
>> print "This account can only be used to forward ports\n";
>> <STDIN>;
>>
>> and just that. For the user in question, set up his/her shell to be
>> /usr/bin/ports.pl (instead of /bin/bash or whatever). That way, when the
>> user logs in in, they cannot do anything other than type enter to exit.
>>
>> Works for me, and is short enough that there aren't any security issues
>> with it. (Can anybody see any that I've missed?)
>>
>> Peter
>
>
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal