How to restrict a user only to portforwarding in SSH Tunnel
Wednesday, May 30th, 2007This sounds strange, what? Ok, let me tell you for what you would need that…I have a user which works with my MySQL-database by Windows-ODBC. The usual communication between client and server runs unencrypted. So I decided to tunnel the communication through an ssh-tunnel.
- Problem 1: User has shell-access and the user has the opportunity to log into my system and do things I don’t like.
Solution 1: Don’t give him shell-access, but a program which runs forever and the user gets some output on his terminal to get no timeout. - Problem 2: User could port-forward not only mysql-protocol but also SMTP, POP3… whatever. But I don’t want that.
Restrict him to forward only special ports.
Create a file ~user/.ssh/authorized_keys like this
# -> command=”…” # this command simply prints something to prevent a timeout while # the ssh-session is running. quoting-character like double quotes # in this command must be quoted with backslash # -> permitopen=”127.0.0.1:3306″ # restrict the person using this key to only portforwarding # 3306 to localhost # -> from=… # only allow connections from this host (not needed but sometimes useful) # the rest is the public key command=”/usr/bin/perl -e ‘$|=1;while (1) { print scalar localtime() . ”n”;sleep 30}’”, permitopen=”127.0.0.1:3308″, from=”box1.freebsd.org.in” ssh-dss AAAAB3NzaC1kc3MAAACBAJ4vXg== some@comment_for_key
Bookmark to:
