允许用户设置 SSH 隧道，但仅此而已 [英] Allow user to set up an SSH tunnel, but nothing else

问题描述

我希望允许用户在特定端口(例如 5000)上设置到特定机器的 SSH 隧道，但我想尽可能地限制该用户.(身份验证将使用公钥/私钥对).

I'd like to allow a user to set up an SSH tunnel to a particular machine on a particular port (say, 5000), but I want to restrict this user as much as possible. (Authentication will be with public/private keypair).

我知道我需要编辑相关的 ~/.ssh/authorized_keys 文件，但我不确定要在其中放入哪些内容(公钥除外).

I know I need to edit the relevant ~/.ssh/authorized_keys file, but I'm not sure exactly what content to put in there (other than the public key).

推荐答案

在 Ubuntu 11.10 上，我发现我可以阻止使用或不使用 -T 发送的 ssh 命令，并阻止 scp 复制，同时允许端口转发通过.

On Ubuntu 11.10, I found I could block ssh commands, sent with and without -T, and block scp copying, while allowing port forwarding to go through.

具体来说，我在绑定到 localhost:6379 的somehost"上有一个 redis-server，我希望通过 ssh 隧道安全地共享到其他具有密钥文件的主机，并将通过 ssh 连接:

Specifically I have a redis-server on "somehost" bound to localhost:6379 that I wish to share securely via ssh tunnels to other hosts that have a keyfile and will ssh in with:

$ ssh -i keyfile.rsa -T -N -L 16379:localhost:6379 someuser@somehost

这将导致 redis-server，somehost"上的localhost"端口 6379 出现在本地执行 ssh 命令的主机上，重新映射到localhost"端口 16379.

This will cause the redis-server, "localhost" port 6379 on "somehost" to appear locally on the host executing the ssh command, remapped to "localhost" port 16379.

在远程somehost"上这是我用于authorized_keys的:

On the remote "somehost" Here is what I used for authorized_keys:

cat .ssh/authorized_keys   (portions redacted)

no-pty,no-X11-forwarding,permitopen="localhost:6379",command="/bin/echo do-not-send-commands" ssh-rsa rsa-public-key-code-goes-here keyuser@keyhost

no-pty 会阻止大多数想要打开终端的 ssh 尝试.

The no-pty trips up most ssh attempts that want to open a terminal.

permitopen 解释了允许转发哪些端口，在本例中，端口 6379 是我想要转发的 redis-server 端口.

The permitopen explains what ports are allowed to be forwarded, in this case port 6379 the redis-server port I wanted to forward.

如果某人或某物确实设法通过 ssh -T 或其他方式向主机发送命令，则 command="/bin/echo do-not-send-commands" 会回显 "do-not-send-commands".

The command="/bin/echo do-not-send-commands" echoes back "do-not-send-commands" if someone or something does manage to send commands to the host via ssh -T or otherwise.

来自最近的 Ubuntu man sshd，authorized_keys/命令描述如下:

From a recent Ubuntu man sshd, authorized_keys / command is described as follows:

命令=命令"指定每当使用此键时执行命令用于身份验证.用户提供的命令(如果有)是忽略.

command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored.

尝试使用 scp 安全文件复制也会失败，并显示do-not-send-commands"的回声 我发现 sftp 在此配置下也失败.

Attempts to use scp secure file copying will also fail with an echo of "do-not-send-commands" I've found sftp also fails with this configuration.

我认为在之前的一些答案中提出的受限 shell 建议也是一个好主意.另外，我同意此处详细说明的所有内容都可以通过阅读man sshd"并在其中搜索authorized_keys"来确定

I think the restricted shell suggestion, made in some previous answers, is also a good idea. Also, I would agree that everything detailed here could be determined from reading "man sshd" and searching therein for "authorized_keys"

这篇关于允许用户设置 SSH 隧道，但仅此而已的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！