Allow reverse SSH tunnel but not simple SSH

ssh linux ssh-tunnel

I have a computer (let's name it A) behind a NAT, and I need a SSH connection to it from another computer (let's name it B).

I saw that I needed an SSH reverse tunnel, I tried, and it works.

In order to make the reverse tunnel work, I had to add the public key of A in the authorized_keys file of B.

The problem is that (for security concerns) I don't want computer A to be able to ssh in the computer B and see/modify the files in it (A is kind of a slave of B).

Is it possible to avoid this?


Solution 1:

a computer (let's name it A) […] another computer (let's name it B). […] I had to add the public key of A in the authorized_keys file of B.

A common situation is to add the public key of particular user of A in the auhorized_keys file of particular user of B. It's not the key represents the whole computer A; similarly the authorized_keys file doesn't belong to the whole B.

You probably added the public key of some user alpha of A in the authorized_keys file of some user beta of B (the two users may use the same login, still they are on different machines, so let's keep distinct names alpha and beta).

My solution: set beta's login shell on B to /bin/false. You can do this (on B) with sudo usermod -s /bin/false beta.

This would cause the following restrictions:

  • beta cannot normally log into B at all; in particular ssh beta@B from A won't give anyone a shell, despite SSH authentication success;
  • commands like ssh beta@B whatever won't succeed;
  • neither SCP nor SFTP* trying to access beta's account won't work (see this comment).

It looks like there is no way for alpha on A to see or modify the files in B. However at the same time:

  • anyone able to authorize as beta can use ssh -N to establish SSH connection to B without running any command there; this is an example command alpha should invoke on A:

      ssh -N -R 1234:127.0.0.1:22 beta@B

  • you don't have to be beta to use the tunnel (although -R without specifying a bind address will bind only to the loopback interface of B, so you have to be on B to use the tunnel; see also man 5 sshd_config, GatewayPorts option).

Additionally check MaxSessions and PermitOpen options in man 5 sshd_config. I think if you use them properly then a possible attacker using alpha's private key won't be able to "capture" too many ports on B.

* Exception: SFTP will work without a functional shell if the server is configured to use Subsystem sftp internal-sftp.

Related

How do I properly configure Razer DeathAdder 3500 DPI on Mac OS X?
logrotate does not rotate at the time specified in crontab
What is difference between PCIe, mini-PCIe, M.2 m-key and e-key connections?
Logrotate running at wrong hour/time
Reducing PDF File size
Windows copy command concatenates several files in non-numerical order
Viewing images open in GIMP side by side
How can I automatically forward an e-mail and change sender?
How to change bios config from dhcp?
How to display windows instead of program icons in the Windows 11's taskbar?
Why is nothing drawn in PyGame at all?
Why is my collision test always returning 'true' and why is the position of the rectangle of the image always wrong (0, 0)?