Re: [opensuse] SSH tunnels without a real shell ?

Mon, 07 May 2007 23:45:36 -0700 

On Thu, May 03, 2007 at 03:39:12PM -0700, Seth Arnold wrote:
> On Thu, May 03, 2007 at 11:11:12PM +0200, Andreas wrote:
> > is there a way to get expernal people to establish a SSH tunnel to one 
> > firewalled internal port without them getting a real shell to snoop around?
> > 
> > I'd like to let some externals use our database server that sits
> > behind a port filter.  There is only the ssh port to come in.
> > 
> > Up until now there was only me and I trust me enough to grant me a 
> > shell.  ;-)
> 
> > I've got SUSE 9.3 on our server and the clients would be all kinds of 
> > Windows.
> 
> Hrm. Forget AppArmor then, it didn't ship in 9.3. (Or, consider
> upgrading the machine to a newer release -- 9.3 will be leaving
> maintenance soon.)

Also, if you're willing to upgrade to 10.2, openssh 4.4 includes the
new server config option ForceCommand. From the sshd_config(5) man page:

  ForceCommand
        Forces the execution of the command specified by ForceCommand,
        ignoring any command supplied by the client.  The command is
        invoked by using the user's login shell with the -c option.
        This applies to shell, command, or subsystem execution.  It is
        most useful inside a Match block.  The command originally
        supplied by the client is available in the SSH_ORIGINAL_COMMAND
        environment variable.

You could then add something like the following to /etc/ssh/sshd_config

  Match group dbusers
        ForceCommand sleep 180

(assuming you've added all the users you want to allow access to the
database to the dbusers group.)  This will cause the command "sleep 180"
to run on behalf of the connecting user, regardless of what command
they request. You could also make a shell script which invokes sleep
and then provide an AppArmor profile for the shell script to make the
enforcement stronger.

You'd also want to make sure sshd is not configured to honor environment
variables (for those users at a minimum). You may also wish to look into
the "PermitOpen" keyword (also new in openssh 4.4), which would allow
you to restrict which hosts+ports your users are allowed to create a
tunnel to, preventing them from opening tunnels to anywhere else behind
your port filter.

-- 
Steve Beattie
SUSE Labs, Novell Inc. 
<[EMAIL PROTECTED]>
http://NxNW.org/~steve/

Attachment: pgpfC9OCNQVMA.pgp
Description: PGP signature

Reply via email to