Thursday, 21 August 2008

Secure port forwarding without shell access

My aim was connection to ssh deamon on defined port (4321 for this example) different then default port and specific users (only for theusername for this example) without shell access and permiting port forwarding. Chroot for sshd is painfull.

Create custum sshd config file
cp /etc/ssh/sshd_config /etc/sshsshd_config_custom

Changed options in sshd_config_custom file
Port 4321
PermitRootLogin no
AllowUsers theusername

With this configuration file, only theusername could connect ssh deamon on port 4321.
Run sshd deamon
/usr/lib/ssh/sshd -f /data01/tcell/sshd_config_config

Change shell to /usr/bin/false in passwd file

vi /etc/passwd

If you do not have false shell create read only shell.
vi /usr/bin/dummyshell
add two lines below
bash -r -c read

Make executable
chmod a+x  /usr/bin/dummyshell

From remote computer:
So user had to use -N option for ssh command

Does not execute a remote command. This is useful if you
just want to forward ports (protocol version 2 only).

For port forwarding from another system
ssh -N theusername@ipadressoftheserver -L 9999: -p 4321

-p for changed ssh port in sshd_config_custom

Now user could not give any command on the server but could port forward 9999 from the server to computer.

No comments: