Mailinglist Archive: opensuse (2859 mails)
| < Previous | Next > |
Re: [opensuse] SSH tunnels without a real shell ?
- From: Seth Arnold <seth.arnold@xxxxxxx>
- Date: Thu, 3 May 2007 15:39:12 -0700
- Message-id: <20070503223912.GO28420@xxxxxxx>
On Thu, May 03, 2007 at 11:11:12PM +0200, Andreas wrote:
> is there a way to get expernal people to establish a SSH tunnel to one
> firewalled internal port without them getting a real shell to snoop around?
>
> I'd like to let some externals use our database server that sits
> behind a port filter. There is only the ssh port to come in.
>
> Up until now there was only me and I trust me enough to grant me a
> shell. ;-)
You could use AppArmor to confine your users to a restricted shell --
enough to let them login, but do nothing else once they are
authenticated. The pam_apparmor PAM module can help significantly -- put
all your untrusted users in a single group, and then give that group
very restricted privileges in AppArmor's sshd policy.
> Are there reasonably simple alternatives to do this without SSH?
stunnel can let you tunnel connections over SSL. Needs to be done on
both endpoints of course, and I'm not sure about windows builds of
stunnel, but it should be feasible.
> I've got SUSE 9.3 on our server and the clients would be all kinds of
> Windows.
Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider
upgrading the machine to a newer release -- 9.3 will be leaving
maintenance soon.)
Hope this helps
> is there a way to get expernal people to establish a SSH tunnel to one
> firewalled internal port without them getting a real shell to snoop around?
>
> I'd like to let some externals use our database server that sits
> behind a port filter. There is only the ssh port to come in.
>
> Up until now there was only me and I trust me enough to grant me a
> shell. ;-)
You could use AppArmor to confine your users to a restricted shell --
enough to let them login, but do nothing else once they are
authenticated. The pam_apparmor PAM module can help significantly -- put
all your untrusted users in a single group, and then give that group
very restricted privileges in AppArmor's sshd policy.
> Are there reasonably simple alternatives to do this without SSH?
stunnel can let you tunnel connections over SSL. Needs to be done on
both endpoints of course, and I'm not sure about windows builds of
stunnel, but it should be feasible.
> I've got SUSE 9.3 on our server and the clients would be all kinds of
> Windows.
Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider
upgrading the machine to a newer release -- 9.3 will be leaving
maintenance soon.)
Hope this helps
| < Previous | Next > |