LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   minimum priviligaes needed to create ssh tunnel? (https://www.linuxquestions.org/questions/linux-newbie-8/minimum-priviligaes-needed-to-create-ssh-tunnel-943411/)

loolooyyyy 05-05-2012 11:42 AM

minimum priviligaes needed to create ssh tunnel?
 
I have a vps, running centOS, i want to give my friend an account, being able to create ssh tunnels, but not to be able to do 'anything' else at all (as much as possible!)
bandwith quota does not matter
in fact i dont trust him with my stuff on the server

btmiller 05-05-2012 01:00 PM

If you don't trust him, then don't give him an account on your server; it's that simple.

If you feel that you must, for some reason, look into the chroot functionality of SSH. Create a chroot jail that your friend's account will be confined to (you can use jailkit to do this, but honestly it's not hard to do it by hand), and then set up sshd to chroot the user account to that directory. Once done, be sure to test it carefully to make sure that the account is really confined before giving him his login credentials.

unSpawn 05-05-2012 01:14 PM

I agree. If you don't trust him at all then you should think twice before allowing him to (ab)use your server as a conduit. Whatever he does will point to your IP address.

If you're doing this anyway try this:
- create an unprivileged user account and set an inert shell (/bin/false or /sbin/nologin),
- clear out his ~/ directory, create a ~/.ssh/ directory and generate a key for him with a good difficult pass phrase,
- give him the private key and stick the public part in ~/.ssh/authorized_keys.
- prefix the key data with
Code:

no-pty,no-X11-forwarding,from="IP_range",permitopen="serveraddress:serverport",command="/bin/echo disabled"
(key sig after the space) to deny allocating a pseudo-TTY, deny X11 forwarding, only allow him to connect from within a certain IP range and only allow him to open a specific port on your server.
- ensure access permissions are as needed then 'chattr =iu -R' his home directory to ensure nothing can be dropped there,
- additionally set some firewall rules for restricting and limiting traffic rates if your OpenVZ comes with the required modules, and
- additionally set some /etc/audit/audit.rules to track usage and ensure you read logs that Logwatch creates (you do run reporting, right?).
YMMV(VM) but I HTH

loolooyyyy 05-05-2012 02:02 PM

because of some unfortunate things happened i have to do him the favor
i could not install a newer openssh supporting chroot, (not thinking about compiling at all!) since i'm low on ram, 64MB
it has some dependencies, newer libc,libcrypto, and yum fails to allocate enough memory,swap is not supported, and all the services that could be stopped are stopped
so, i'm going with second method(wish i could do the first)

one more question:for keys, i do the `ssh-keygen` and put public key generated in USER/.ssh/authorized_keys and give him the generated private key with key's paraphrase, that's all, right? or do i have to name his username while generating keys?

thank you both

unSpawn 05-05-2012 02:13 PM

Quote:

Originally Posted by loolooyyyy (Post 4671103)
for keys, i do the `ssh-keygen` and put public key generated in USER/.ssh/authorized_keys and give him the generated private key with key's paraphrase, that's all, right? or do i have to name his username while generating keys?

After you create the account just 'su' into his account and then run ssh-keygen. When done you send him the private key.


All times are GMT -5. The time now is 02:40 PM.