LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-05-2012, 11:42 AM   #1
loolooyyyy
Member
 
Registered: Nov 2011
Posts: 36

Rep: Reputation: Disabled
minimum priviligaes needed to create ssh tunnel?


I have a vps, running centOS, i want to give my friend an account, being able to create ssh tunnels, but not to be able to do 'anything' else at all (as much as possible!)
bandwith quota does not matter
in fact i dont trust him with my stuff on the server
 
Old 05-05-2012, 01:00 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
If you don't trust him, then don't give him an account on your server; it's that simple.

If you feel that you must, for some reason, look into the chroot functionality of SSH. Create a chroot jail that your friend's account will be confined to (you can use jailkit to do this, but honestly it's not hard to do it by hand), and then set up sshd to chroot the user account to that directory. Once done, be sure to test it carefully to make sure that the account is really confined before giving him his login credentials.
 
Old 05-05-2012, 01:14 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
I agree. If you don't trust him at all then you should think twice before allowing him to (ab)use your server as a conduit. Whatever he does will point to your IP address.

If you're doing this anyway try this:
- create an unprivileged user account and set an inert shell (/bin/false or /sbin/nologin),
- clear out his ~/ directory, create a ~/.ssh/ directory and generate a key for him with a good difficult pass phrase,
- give him the private key and stick the public part in ~/.ssh/authorized_keys.
- prefix the key data with
Code:
no-pty,no-X11-forwarding,from="IP_range",permitopen="serveraddress:serverport",command="/bin/echo disabled"
(key sig after the space) to deny allocating a pseudo-TTY, deny X11 forwarding, only allow him to connect from within a certain IP range and only allow him to open a specific port on your server.
- ensure access permissions are as needed then 'chattr =iu -R' his home directory to ensure nothing can be dropped there,
- additionally set some firewall rules for restricting and limiting traffic rates if your OpenVZ comes with the required modules, and
- additionally set some /etc/audit/audit.rules to track usage and ensure you read logs that Logwatch creates (you do run reporting, right?).
YMMV(VM) but I HTH
 
Old 05-05-2012, 02:02 PM   #4
loolooyyyy
Member
 
Registered: Nov 2011
Posts: 36

Original Poster
Rep: Reputation: Disabled
because of some unfortunate things happened i have to do him the favor
i could not install a newer openssh supporting chroot, (not thinking about compiling at all!) since i'm low on ram, 64MB
it has some dependencies, newer libc,libcrypto, and yum fails to allocate enough memory,swap is not supported, and all the services that could be stopped are stopped
so, i'm going with second method(wish i could do the first)

one more question:for keys, i do the `ssh-keygen` and put public key generated in USER/.ssh/authorized_keys and give him the generated private key with key's paraphrase, that's all, right? or do i have to name his username while generating keys?

thank you both

Last edited by loolooyyyy; 05-05-2012 at 02:05 PM.
 
Old 05-05-2012, 02:13 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by loolooyyyy View Post
for keys, i do the `ssh-keygen` and put public key generated in USER/.ssh/authorized_keys and give him the generated private key with key's paraphrase, that's all, right? or do i have to name his username while generating keys?
After you create the account just 'su' into his account and then run ssh-keygen. When done you send him the private key.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
create ssh tunnel using perl aarontwc Programming 6 11-19-2008 11:48 AM
How to create an SSH tunnel at boot up fregster Linux - General 7 11-15-2006 05:02 AM
the minimum files needed for x? Fascistchicken Linux - Software 2 10-14-2004 03:54 AM
Minimum packages needed 1kyle Linux - Software 4 03-23-2004 07:17 PM


All times are GMT -5. The time now is 08:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration