On Thu, May 03, 2007 at 03:39:12PM -0700, Seth Arnold wrote:
On Thu, May 03, 2007 at 11:11:12PM +0200, Andreas wrote:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in.
Up until now there was only me and I trust me enough to grant me a shell. ;-)
I've got SUSE 9.3 on our server and the clients would be all kinds of Windows.
Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider upgrading the machine to a newer release -- 9.3 will be leaving maintenance soon.)
Also, if you're willing to upgrade to 10.2, openssh 4.4 includes the new server config option ForceCommand. From the sshd_config(5) man page: ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. You could then add something like the following to /etc/ssh/sshd_config Match group dbusers ForceCommand sleep 180 (assuming you've added all the users you want to allow access to the database to the dbusers group.) This will cause the command "sleep 180" to run on behalf of the connecting user, regardless of what command they request. You could also make a shell script which invokes sleep and then provide an AppArmor profile for the shell script to make the enforcement stronger. You'd also want to make sure sshd is not configured to honor environment variables (for those users at a minimum). You may also wish to look into the "PermitOpen" keyword (also new in openssh 4.4), which would allow you to restrict which hosts+ports your users are allowed to create a tunnel to, preventing them from opening tunnels to anywhere else behind your port filter. -- Steve Beattie SUSE Labs, Novell Inc. <sbeattie@suse.de> http://NxNW.org/~steve/