Thursday 21 August 2008

Secure port forwarding without shell access

My aim was connection to ssh deamon on defined port (4321 for this example) different then default port and specific users (only for theusername for this example) without shell access and permiting port forwarding. Chroot for sshd is painfull.


Create custum sshd config file
cp /etc/ssh/sshd_config /etc/sshsshd_config_custom


Changed options in sshd_config_custom file
Port 4321
PermitRootLogin no
AllowUsers theusername


With this configuration file, only theusername could connect ssh deamon on port 4321.
Run sshd deamon
/usr/lib/ssh/sshd -f /data01/tcell/sshd_config_config


Change shell to /usr/bin/false in passwd file

vi /etc/passwd
theusername:x:404:808::/homefolder:/bin/sh
theusername:x:404:808::/homefolder:/usr/bin/false


If you do not have false shell create read only shell.
vi /usr/bin/dummyshell
add two lines below
#!/bin/bash
bash -r -c read

Make executable
chmod a+x  /usr/bin/dummyshell

From remote computer:
So user had to use -N option for ssh command
     -N

Does not execute a remote command. This is useful if you
just want to forward ports (protocol version 2 only).


For port forwarding from another system
ssh -N theusername@ipadressoftheserver -L 9999:127.0.0.1:9999 -p 4321


-p for changed ssh port in sshd_config_custom

Now user could not give any command on the server but could port forward 9999 from the server to computer.

No comments: