how to detect (and kill) tunnel-only ssh connections?
Dan Ritter
dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org
Wed Oct 14 10:11:31 EDT 2009
On Wed, Oct 14, 2009 at 09:44:03AM -0400, Kent Borg wrote:
> Dan Ritter wrote:
> > /etc/ssh/sshd_config:
> > AllowTcpForwarding No
> >
>
> That makes sense. So there is no way to set up just some users to not
> be able to forward...which is why the initial question was of interest.
SSH supports an awful lot of possible restrictions. To do it
per-user, though, you usually have to do make them log in with
SSH keys, and place restrictions on the keys.
For example, you could set
AuthorizedKeysFile /etc/ssh/authkeys/%u
to require the authorized keys to be in that directory, and
named for the user in question. Don't give them write privs.
Handle the key installation yourself, and add restrictions like:
from="trusted-host.one, home-machine",no-agent-forwarding,\
no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3Nza..
man authorized_keys is your friend.
-dsr-
--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.
More information about the Discuss
mailing list