Am Samstag, 19. Mai 2007 schrieb Andreas:
Markus Gaugusch schrieb:
is there a way to get expernal people to establish a SSH tunnel to one firewalled internal port without them getting a real shell to snoop around?
Use /bin/cat as shell. Pressing ctrl-c will then close the ssh session.
Markus
Can I limit the possible tunnels per user? E.g. User-A can get just a tunnel to one or a selction of internal ports but User-B can get just port 80 and I get every port I like.
My concern is that my db-users should just see the db-port. There might be some among them who actually have a clue about ssh and could access every listening port on the server just by trying a few ssh-config options.
That depends on your version of openssh. Newer versions (e.g. the version that comes with OpenSUSE 10.2) can restrict the forwarded connections through the options "PermitOpen" and "Match". Assuming that your db-users are in a group called "dbusers" and that you are running MySQL on the same host, you would have to put something like this at the end of your /etc/ssh/sshd_config: Match Group dbusers PermitOpen 127.0.0.1:3306 Alternatively, if you are using key-based authentication, you can get the same results with the option permitopen="host:port" in your authorized_keys file. Mike --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org