You are here

SSH tunnels and access restriction

When working with large Drupal sites that connects to web services, which is protected by IP address or you are lock out by company firewalls. SSH port forwarding (also known as SSH tunnels) can be the solution.

I assume that you only allow users to connect to your servers using RSA key pairs. This is the secure way to use SSH and gives you the most flexibility in configure the server and allows you to make configuration based on user.

I'm in the situation that I want to have one account that every developer and project manager at the office can simply use by executing a script. So I want to limit what the SSH user account can be used for, namely SSH tunnels only. This can be archived by adding configuration into the file .ssh/authorized_keys in the shared users home directory.

Limit account usage

In the authorized_keys file you would normally store you user(s) public key, but you can also place configuration in front of the key.

The basic options are:

  • from: used to limit where the connection can be established from.
  • command: force execution of a command at log in, thereby giving the option to prevent shell access or limit access to a set of programs through a shell scripting.
  • permitopen: limit where to tunnels can be created and to which port are allowed.
  • no-pty: don't allow execution of the shell, hence preventing shell access.

So if we are assuming that you have generate a password less RSA private and public key, you can add this line to authorized_keys.

permitopen="opensearch.dk:8080",permitopen="openspell.dk:2080",command="/bin/echo You are not allow shell access",no-pty rsa-public-key

This would allow any one with the private key to create and tunnel to the two servers at port 8080 and 2080 through the server (linuxdev.dk) with the following command.

~$ ssh -fN linuxdev.dk -L 8000:opensearch.dk:8080 -i ~/id_rsa
~$ telnet localhost 8000

If you try to create a tunnel to a server and port not listed within a permitopen the SSH will not complain, but when trying to send any data (telnet) through the tunnel you will get a "not authorized". If you try to SSH into the server the echo command will run and you will be disconnected.

Other options

  • idle-timeout=5M which will close the tunnel automatically if no data i transmitted for more then 5 minutes.

Tags

server SSH

Add new comment