Wednesday, January 12, 2011

Securing SSH tunnels

We have an application that uses SSH to connect to a server : the application's network traffic (database, some custom TCP protocols, etc...) is tunneled through a SSH connection.

We use a key pair and an unprivileged account on the server, but the users still can use their key to login to the server, or do whatever port redirection they want.

Is there a way to configure the SSH server to allow only some tunnels (restricted on the tunnels' end address and port), and disable shell access ? (we use OpenSSH)

[edit]

I came across this article, it seems like removing shell access is not enough. Changed title and description accordingly.

From serverfault Luper Rouch

  • Setting the user's shell to /bin/false may do what you're looking for.

    From sysadmin1138

  • I believe you could set the ForceCommand directive to /bin/false to prevent shell access.

    From mhud

  • In your authorized_keys file you can specify which command will be run when they login. You could simply set that command to run something that will just wait around for a long time. The sshd man page as a list of all the options you can use in your authorized_keys file.

    permitopen="tsserver.example.org:3389",no-pty,no-agent-forwarding,no-X11-forwarding,command="/usr/local/stm_shell.sh" ssh-rsa AAAAB3....

    My stm_shell.sh is this (it also enforces a 12 hour timeout). I am not 100% sure if this is completely secure.

    #!/bin/bash

# send a hang-up after this process exits
shopt -s huponexit
# maximum session length in hours
CONNECT_TIME=12
sleep $[CONNECT_TIME*60]
kill $PPID
    Dan Carley : Not so keen on the additional shell script, but the first part is the right answer.
    Zoredache : I should probably post as a separate question, but are there other ways to limit the total connect time?
    Dan Carley : Not that I'm aware of, using oSSH alone. The only timeouts relate to automatic keepalives. Bash has such a variable, but that's no use, because the shell should of course be /bin/false or equivilant.
    Luper Rouch : permitopen is what I was looking for, thanks. What exactly is the advantage of your script over /bin/false when used in combination with permitopen ? (besides limiting sessions duration)
    From Zoredache

  • Maybe the "ChrootDirectory" keyword in the sshd_config (man sshd_config) might give a little more extra security.

    From Kyle Brandt
Posted by Mu Cat at 9:49 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)