Match Group is very limited in OpenSSH 4.x and earlier. Some of the above ssh options are available in the older versions of openssh, but not within the Match Group section. This assumes the group "nicepeople" GID is 500. sbin/iptables -I OUTPUT -m owner -gid-owner 500 -m tcp -p tcp -d 192.168.0.0/24 -j ACCEPT You can further control where this person can go on the network using iptables /sbin/iptables -I OUTPUT -m owner -gid-owner 500 -j REJECT
You can repeat these Match Group blocks for each group that you wish to provide different behavior or restrictions. # Or leave out the PermitOpen to allow forwarding to anywhere. If you give them a home directory but don't create any directories under it, they can't transfer any files because they will not have permission to do so. This will not try to execute any command but still allows to setup TCP forwardings.Īn example of a forward command that should work in the latter setup: ssh -L 12345:127.0.0.1:12345 -N can control what people can do in ssh by matching groups assuming your version of ssh is new enough to support it (openssh 5.x+).īasically, we treat them as if they were sftp users, but allow tcp forwarding and optionally specify the destinations they may forward to. For creating a TUN tunnel, will leave here a practical script, from Ip Tunnel Over Ssh With Tun the script assumes you are running as root. If you want to avoid this and keep your forwarding connection open, add the -N flag to the ssh command. Using OpenSSH in Linux, tunnels can be created over SSH using either TUN or TAP interfaces, as long as proper routing is setup and ip forwarding where appropriate.
#Creating ssh tunnel linux code#
When the user normally connects he will now be instantly disconnected because the /bin/false command will be triggered which does nothing but instantly exit with a code of 1. This will allow the user even-more-restricted-guy to only ever forward connections to 127.0.0.1 TCP port 12345 (as it is visible through your SSH enabled machine). SSH can be used for secure port forwarding or tunneling, which allows secure transmission of data from a local port to a port on a remote server. If you want it even more restrictive (which is a good idea) you can also do the following: Match User even-more-restricted-guy To allow the user that-restricted-guy to forward any TCP connections through your SSH enabled machine (connection to this machine, also to localhost and even connection from this machine to other machines).
Then, go to the SSH Tab section, check the Use MySQL SSH Tunnel checkbox and fill out the fields as follow: Host Name/IP Address: Provide the Nexcess IP / Hostname.
Password: The MySQL Database User Password. Put the following into your /etc/ssh/sshd_config: Match User that-restricted-guy User Name: The MySQL Database Username to open the connection. Another advantage is, that if the user is able to change his default shell through any other way, this will still restrict his SSH access to only TCP forwardings. The following has the advantage that X11 and SSH agent socket forwardings are also disallowed, which might still be allowed in Calebs way.
0 kommentar(er)
