[opensuse-security] SSH tunnels without a real shell ?
Hi, is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around? I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in. Up until now there was only me and I trust me enough to grant me a shell. ;-) Are there reasonably simple alternatives to do this without SSH? I've got SUSE 9.3 on our server and the clients would be all kinds of Windows. Our Internet connection has no fixed IP but this would be manageable with a dynamic dns service, I suppose. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Quoting Andreas (maps.on@gmx.net):
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around? I'd like to let some externals use our database server that sits behind a port filter.
One possibility might be to configure their ssh accounts to automatically start a specified command (command=... in the .ssh/authorized_keys file for example). If that's possible in your case depends on what they need to do on your protected system. If it's secure depends on the capabilities of this command. If it allows escaping to a shell, nothing is gained. Perhaps this helps, Susan --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Use /bin/cat as shell. Pressing ctrl-c will then close the ssh session. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Markus Gaugusch schrieb:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Use /bin/cat as shell. Pressing ctrl-c will then close the ssh session.
Markus
Can I limit the possible tunnels per user? E.g. User-A can get just a tunnel to one or a selction of internal ports but User-B can get just port 80 and I get every port I like. My concern is that my db-users should just see the db-port. There might be some among them who actually have a clue about ssh and could access every listening port on the server just by trying a few ssh-config options. regards a. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
There is a possibility to change iptables (or whatever firewall You use) to deny connections on other ports than db-port for everyone except You (but You have to have static IP). If You want, I can make You an iptables configuration, just write to my mail... TheNewOne Andreas napisał(a):
Markus Gaugusch schrieb:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Use /bin/cat as shell. Pressing ctrl-c will then close the ssh session.
Markus
Can I limit the possible tunnels per user? E.g. User-A can get just a tunnel to one or a selction of internal ports but User-B can get just port 80 and I get every port I like.
My concern is that my db-users should just see the db-port. There might be some among them who actually have a clue about ssh and could access every listening port on the server just by trying a few ssh-config options.
regards a. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Sorry, I can't provide fixed IPs. One of the goals is actually to have mobile users with dynamic internet connections use the database. TheNewOne schrieb:
There is a possibility to change iptables (or whatever firewall You use) to deny connections on other ports than db-port for everyone except You (but You have to have static IP). If You want, I can make You an iptables configuration, just write to my mail...
TheNewOne
Andreas napisał(a):
Markus Gaugusch schrieb:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Use /bin/cat as shell. Pressing ctrl-c will then close the ssh session.
Markus
Can I limit the possible tunnels per user? E.g. User-A can get just a tunnel to one or a selction of internal ports but User-B can get just port 80 and I get every port I like.
My concern is that my db-users should just see the db-port. There might be some among them who actually have a clue about ssh and could access every listening port on the server just by trying a few ssh-config options.
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am Samstag, 19. Mai 2007 schrieb Andreas:
Markus Gaugusch schrieb:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Use /bin/cat as shell. Pressing ctrl-c will then close the ssh session.
Markus
Can I limit the possible tunnels per user? E.g. User-A can get just a tunnel to one or a selction of internal ports but User-B can get just port 80 and I get every port I like.
My concern is that my db-users should just see the db-port. There might be some among them who actually have a clue about ssh and could access every listening port on the server just by trying a few ssh-config options.
That depends on your version of openssh. Newer versions (e.g. the version that comes with OpenSUSE 10.2) can restrict the forwarded connections through the options "PermitOpen" and "Match". Assuming that your db-users are in a group called "dbusers" and that you are running MySQL on the same host, you would have to put something like this at the end of your /etc/ssh/sshd_config: Match Group dbusers PermitOpen 127.0.0.1:3306 Alternatively, if you are using key-based authentication, you can get the same results with the option permitopen="host:port" in your authorized_keys file. Mike --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Andreas, checkout scp-only. (And modify. ;-) ) Or, if jou can use PPK Authentication. You can include a command to execute in Authorized Keys. (search the man-Page for "command") And simply write a little C-command doing nothing else than waiting for "Return" and exiting afterwards. Greetings Dirk Andreas schrieb:
Hi,
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in.
Up until now there was only me and I trust me enough to grant me a shell. ;-)
Are there reasonably simple alternatives to do this without SSH?
I've got SUSE 9.3 on our server and the clients would be all kinds of Windows. Our Internet connection has no fixed IP but this would be manageable with a dynamic dns service, I suppose. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl -------------------------------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: maps.on@gmx.net, opensuse@opensuse.org, suse-security@suse.com # Dateianhänge: 0 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi, I myself can recommend using openvpn. it is easy to configure securly and let your users connect to the vitual ethernet adapter e.g tun0 over an encrypted tunnel. each user can have his own key and the howto is very good. You can then configure your firewall to only give access to the db port. I use both solutions (also suse 9.3), ssh tunnel and openvpn. the only advantage of ssh in this case is that you dont have to install a virtual ethernet adapter on your client, eg one can connect from any windows client with internet access right on from usb stick with putty without any driver install. but if u use always the same clients this is not important... another advantage is of course that bad-programmed software only capable of connecting to localhost can be used. openvpn also runs very reliable as windows service, also with dynamic ips. regards, vbargsten Andreas schrieb:
Hi,
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in.
Up until now there was only me and I trust me enough to grant me a shell. ;-)
Are there reasonably simple alternatives to do this without SSH?
I've got SUSE 9.3 on our server and the clients would be all kinds of Windows. Our Internet connection has no fixed IP but this would be manageable with a dynamic dns service, I suppose. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (7)
-
Andreas
-
Dirk Schreiner
-
Markus Gaugusch
-
Michael Buchau
-
Susan Dittmar
-
TheNewOne
-
vbargsten