![]() ![]() Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The option with an empty bind_address looks like this (note the leading :): -R :8080:localhost:80Īdditionally the state of GatewayPorts in the sshd_config on the server is important. You need to explicitly specify bind_address or to use * or to use an empty string as bind_address. Most likely it is not bound to any other interface. Your tries with 127.0.0.1:8080 on the server indicate the listening socket is bound to the loopback interface. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)). An empty bind_address, or the address *, indicates that the remote socket should listen on all interfaces. ![]() This may be overridden by specifying a bind_address. Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.īy default, TCP listening sockets on the server will be bound to the loopback interface only. Match Group is very limited in OpenSSH 4.x and earlier.-R 8080:localhost:80 is usually not enough. Some of the above ssh options are available in the older versions of openssh, but not within the Match Group section. This assumes the group "nicepeople" GID is 500. sbin/iptables -I OUTPUT -m owner -gid-owner 500 -m tcp -p tcp -d 192.168.0.0/24 -j ACCEPT You can further control where this person can go on the network using iptables /sbin/iptables -I OUTPUT -m owner -gid-owner 500 -j REJECT You can repeat these Match Group blocks for each group that you wish to provide different behavior or restrictions. # Or leave out the PermitOpen to allow forwarding to anywhere. If you give them a home directory but don't create any directories under it, they can't transfer any files because they will not have permission to do so. This will not try to execute any command but still allows to setup TCP forwardings.Īn example of a forward command that should work in the latter setup: ssh -L 12345:127.0.0.1:12345 -N can control what people can do in ssh by matching groups assuming your version of ssh is new enough to support it (openssh 5.x+).īasically, we treat them as if they were sftp users, but allow tcp forwarding and optionally specify the destinations they may forward to. If you want to avoid this and keep your forwarding connection open, add the -N flag to the ssh command. When the user normally connects he will now be instantly disconnected because the /bin/false command will be triggered which does nothing but instantly exit with a code of 1. ![]() This will allow the user even-more-restricted-guy to only ever forward connections to 127.0.0.1 TCP port 12345 (as it is visible through your SSH enabled machine). If you want it even more restrictive (which is a good idea) you can also do the following: Match User even-more-restricted-guy To allow the user that-restricted-guy to forward any TCP connections through your SSH enabled machine (connection to this machine, also to localhost and even connection from this machine to other machines). Put the following into your /etc/ssh/sshd_config: Match User that-restricted-guy Another advantage is, that if the user is able to change his default shell through any other way, this will still restrict his SSH access to only TCP forwardings. The following has the advantage that X11 and SSH agent socket forwardings are also disallowed, which might still be allowed in Calebs way. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |