![]() To be sure that it works as expected, some test cases need to be run. Edit ~/.ssh/authorized_keys and add the next options before the ssh- (with a space between the options and ssh-): command="echo 'This account can only be used for '",no-agent-forwarding,no-X11-forwarding,permitopen="localhost:62222" If TCP forwarding is allowed in the system-wide configuration and disabled password-based authentication, you can use per-key settings as well. PermitOpen localhost:62222 assumes that port 62222 on the server is never in use because the client can happily connect to it and listen on it too. Now the client can only connect to port 62222 on the loopback address of the server over SSH (it will not listen on the public IP address)ĭisabling AllowTcpForwarding would also disallow the use of -R, thus defeating the use of such a restricted account for forwarding a single port. The option ForceCommand can be omitted if the shell is set to a non-shell like /bin/false (or /bin/true) as /bin/false -c won't do anything. Now add a user: sudo useradd -m limited-user Match User limited-userįorceCommand echo 'This account can only be used for ' If you've modified the global defaults, you should uncomment the options accordingly. Modifying the system-wide configuration file /etc/ssh/sshd_config allows the configuration be applied even if password-based authentication is applied or if the restrictions in ~/.ssh/authorized_keys are accidentally removed. X11Forwarding - Specifies whether X11 forwarding is permitted.PermitTunnel - Specifies whether tun(4) device forwarding is allowed.Restrictions and permit any forwarding requests. An argument of 'any' can be used to remove all Multiple forwards may be specified by separating them with The forwarding specification must be one of the Specifies the destinations to which TCP port forwarding is GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect." This prevents other remote hosts from connecting to forwarded ports. By default, sshd(8) binds remote port forwardings to the loopback address. GatewayPorts - "Specifies whether remote hosts are allowed to connect to ports forwarded for the client.The command is invoked by using the user's login shell with the -c option." ForceCommand - "Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present.AllowAgentForwarding - Specifies whether ssh-agent(1) forwarding is permitted./etc/ssh/sshd_config - the system-wide configuration file.~/.ssh/rc - Contains initialization routines to be run before the user's home directory becomes accessible.Environment processing is disabled by default and is controlled via the PermitUserEnvironment option ~/.ssh/environment - This file is read into the environment at login (if it exists).permitopen="host:port" - Limit local 'ssh -L' port forwarding such that it may only connect to the specified host and port. ![]() no-X11-forwarding - "Forbids X11 forwarding when this key is used for authentication.".no-port-forwarding - Forbids TCP forwarding when this key is used for authentication.no-agent-forwarding - Forbids authentication agent forwarding when this key is used for authentication.Note that this option applies to shell, command or subsystem execution. ![]() Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited.
0 Comments
Leave a Reply. |