ændrük suggested a reverse connection for getting an easy SSH connection with someone else (for remote help). For that to work, an additional user is needed to accept the connection. This user needs to be able to forward his port through the server (the server acts as proxy).
How do I create a restricted user that can do nothing more than the above described?
The new user must not be able to:
- execute shell commands
- access files or upload files to the server
- use the server as proxy (e.g. webproxy)
- access local services which were otherwise not publicly accessible due to a firewall
- kill the server
Summarized, how do I create a restricted SSH user which is only able to connect to the SSH server without privileges, so I can connect through that connection with his computer?
Best Answer
TL;DR - go to the bottom of the answer, "Applying the restrictions"
Adding a restricted user consists of two parts: 1. Creating the user 2. Configuring the SSH daemon (sshd)
Configuring sshd
The best place to get known to the possibilities of SSH is by reading the related manual pages:
Where can SSH client perform actions?
Before you can restrict something, you need to know the features of SSH. Spitting through the manual pages yields:
From the Authentication section of the manual page of sshd(8):
Options for restricting SSH features
Files and their options that alter behavior are:
~/.ssh/authorized_keys
- contains keys which are allowed to connect which can be given options:command="command"
- The command supplied by the user (if any) is ignored. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. Note that this option applies to shell, command or subsystem execution.no-agent-forwarding
- Forbids authentication agent forwarding when this key is used for authentication.no-port-forwarding
- Forbids TCP forwarding when this key is used for authenticationno-X11-forwarding
- "Forbids X11 forwarding when this key is used for authentication."permitopen="host:port"
- Limit local 'ssh -L' port forwarding such that it may only connect to the specified host and port.~/.ssh/environment
- This file is read into the environment at login (if it exists). Environment processing is disabled by default and is controlled via the PermitUserEnvironment option~/.ssh/rc
- Contains initialization routines to be run before the user's home directory becomes accessible./etc/ssh/sshd_config
- the system-wide configuration fileAllowAgentForwarding
- Specifies whether ssh-agent(1) forwarding is permitted.AllowTcpForwarding
ForceCommand
- "Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option."GatewayPorts
- "Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect."PermitOpen
:PermitTunnel
- Specifies whether tun(4) device forwarding is allowed. The default is 'no'X11Forwarding
- Specifies whether X11 forwarding is permitted. The default is 'no'Applying the restrictions
Modifying the system-wide configuration file
/etc/ssh/sshd_config
allows the configuration be applied even if password-based authentication is applied or if the restrictions in~/.ssh/authorized_keys
are accidentally removed. If you've modified the global defaults, you should uncomment the options accordingly.Now add a user:
The option
ForceCommand
can be omitted if the shell is set to a non-shell like/bin/false
(or/bin/true
) as/bin/false -c [command]
won't do anything.Now the client can only connect to port 62222 on the loopback address of the server over SSH (it will not listen on the public IP address)
Disabling
AllowTcpForwarding
would also disallow the use of-R
, thus defeating the use of such a restricted account for forwarding a single port.PermitOpen localhost:62222
assumes that port 62222 on the server is never in use because the client can happily connect to it and listen on it too.If TCP forwarding is allowed in the system-wide configuration and disabled password-based authentication, you can use per-key settings as well. Edit
~/.ssh/authorized_keys
and add the next options before thessh-
(with a space between the options andssh-
):Verify
To be sure that it works as expected, some test cases need to be run. In the below commands,
host
should be replaced by the actual login if it's not set in~/.ssh/config
. Behind the command, a command is shown that should be executed on either the client or server (as specified).Conclusion
Checklist: The SSH user should not able to: