[ssh client]prevent to connect on every port exept one
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks for the answer.
To be fully paranoïd, i would prevent this user trying to connect with an other identity.
I guess I'm not sure what you're worried about here. There should be no way this user can create a new account (unless they've already gained root access) and there really isn't any way you can stop this user if they manage to steal another users account name and password. You could move ssh to a key-based authentication system, which would make stealing another account significantly harder, but that is about the extent of what you can do.
Maybe if you fully explain your situation and what you're worried about, we can give some better advice.
We have several network.
Between this networks, only applications streams are open on the firewalls. For admin tasks, we use dedicated physical terminals.
My goal is to create a "dedicated network" inside my network for file transfert. Port 1234 will be open between some networks, where 22 musn't.
For exemple, imagine that somebody success in stealing an account/password on the high sensitive network. Imagine that this personn success in connecting on the public server with the chrooted account. So, he'll can use the "1234 network" to go to the sensitive machine, then log on it with a more powerfull account doing ssh powerfullaccount@localhost.
I'm not used to explain so much in english, so i hope i'm clear ;-)
I think i just found the solution (i have to test it before) : chmod and chown on /usr/bin/ssh, and allow user to sudo -u userssh /usr/bin/ssh_for_user.sh
ssh_for_user.sh is a script which parse command line form unauthorized options (such -P XXXX).
If it's good, userssh will try to connect : /usr/bin/ssh -P 1234 user@machine
I'm not used to explain so much in english, so i hope i'm clear ;-)
Believe me, your English is MUCH better than my French, and you are clear.
The solution you outline makes some sense and it certainly would throw up a roadblock or two.
I think a potentially better way to approach this would be to replace usernames and password authentication on the highly sensitive computers with key-based authentication. If you also remove a users ability to create a key pair, that would mean that a user would have to talk to an administrator to get the key pair. It would be more administrative hassle for you, but it would allow you to more completely control who has access to what machine.
Of course I'm assuming that it would be more difficult for a person to steal a key than it would be to steal a username and password. If you make the keys with a passphrase, then they would have to steal both the key file and the passphrase (which isn't transmitted across the network so they can't sniff it).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.