On Thu, May 03, 2007 at 11:11:12PM +0200, Andreas wrote:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in.
Up until now there was only me and I trust me enough to grant me a shell. ;-)
You could use AppArmor to confine your users to a restricted shell -- enough to let them login, but do nothing else once they are authenticated. The pam_apparmor PAM module can help significantly -- put all your untrusted users in a single group, and then give that group very restricted privileges in AppArmor's sshd policy.
Are there reasonably simple alternatives to do this without SSH?
stunnel can let you tunnel connections over SSL. Needs to be done on both endpoints of course, and I'm not sure about windows builds of stunnel, but it should be feasible.
I've got SUSE 9.3 on our server and the clients would be all kinds of Windows.
Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider upgrading the machine to a newer release -- 9.3 will be leaving maintenance soon.) Hope this helps