[opensuse] SSH tunnels without a real shell ?
Hi, is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around? I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in. Up until now there was only me and I trust me enough to grant me a shell. ;-) Are there reasonably simple alternatives to do this without SSH? I've got SUSE 9.3 on our server and the clients would be all kinds of Windows. Our Internet connection has no fixed IP but this would be manageable with a dynamic dns service, I suppose. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, May 03, 2007 at 11:11:12PM +0200, Andreas wrote:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in.
Up until now there was only me and I trust me enough to grant me a shell. ;-)
You could use AppArmor to confine your users to a restricted shell -- enough to let them login, but do nothing else once they are authenticated. The pam_apparmor PAM module can help significantly -- put all your untrusted users in a single group, and then give that group very restricted privileges in AppArmor's sshd policy.
Are there reasonably simple alternatives to do this without SSH?
stunnel can let you tunnel connections over SSL. Needs to be done on both endpoints of course, and I'm not sure about windows builds of stunnel, but it should be feasible.
I've got SUSE 9.3 on our server and the clients would be all kinds of Windows.
Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider upgrading the machine to a newer release -- 9.3 will be leaving maintenance soon.) Hope this helps
On Thu, May 03, 2007 at 03:39:12PM -0700, Seth Arnold wrote:
On Thu, May 03, 2007 at 11:11:12PM +0200, Andreas wrote:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
I'd like to let some externals use our database server that sits behind a port filter. There is only the ssh port to come in.
Up until now there was only me and I trust me enough to grant me a shell. ;-)
I've got SUSE 9.3 on our server and the clients would be all kinds of Windows.
Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider upgrading the machine to a newer release -- 9.3 will be leaving maintenance soon.)
Also, if you're willing to upgrade to 10.2, openssh 4.4 includes the new server config option ForceCommand. From the sshd_config(5) man page: ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. You could then add something like the following to /etc/ssh/sshd_config Match group dbusers ForceCommand sleep 180 (assuming you've added all the users you want to allow access to the database to the dbusers group.) This will cause the command "sleep 180" to run on behalf of the connecting user, regardless of what command they request. You could also make a shell script which invokes sleep and then provide an AppArmor profile for the shell script to make the enforcement stronger. You'd also want to make sure sshd is not configured to honor environment variables (for those users at a minimum). You may also wish to look into the "PermitOpen" keyword (also new in openssh 4.4), which would allow you to restrict which hosts+ports your users are allowed to create a tunnel to, preventing them from opening tunnels to anywhere else behind your port filter. -- Steve Beattie SUSE Labs, Novell Inc. <sbeattie@suse.de> http://NxNW.org/~steve/
On Thursday 03 May 2007, Andreas wrote:
Hi,
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Yes, you can run any program you want thru the ssh tunnel. man ssh Where in it states: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port] [-e escape_char] [-F configfile] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [user@]hostname -----> [command] That command bit is what you want. -- _____________________________________ John Andersen
On Thursday 03 May 2007 23:11, Andreas wrote:
Hi,
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
If you mean that the users should be able to login but not do anything on the system just give them a non-interactive shell. The first that comes to my mind is to give them /usr/bin/sum as shell. Don't know if this is the best solution but a quick and easy one. Ciao, Daniel -- J. Daniel Schmidt <jdsn@suse.de> SUSE Linux Products GmbH Research & Development Maxfeldstr. 5 GF: Markus Rex, HRB 16746 (AG Nürnberg) D-90409 Nürnberg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Andreas -
J. Daniel Schmidt -
John Andersen -
Seth Arnold -
Steve Beattie