Re: SSH forwarding with an "untrusted" user
I looked into something similar to what you're describing for a project
at work. We setup a user account so that it could only connect via SSH
(OpenSSH 3.x in this case) using public-key authentication, and then
defined some restrictions in ~/.ssh/authorized_keys. The net result
was that the account could be used to establish tunnels to predefined
hosts, but little else.
I don't have my notes handy at the moment, but I could dig them up
tomorrow and send you the particulars.
On Wed, Aug 14, 2002 at 12:34:45PM -0400, Mike Dresser wrote:
> I've got a series of remote locations that I need to be able to connect to
> from head office.
>
> I need to be able to give a user the ability to ssh in, using port
> forwarding(such as through putty), to a machine inside the firewall at
> the remote location.
>
> So I load up putty, setup the forward, and it works and all.
>
> Here's the catch.. There's a shell running in the background. How do I
> do this, without leaving a shell running around where the "untrusted" user
> can access it?
>
> There's an option in ssh to not allocate a pseudo-terminal, but I don't
> trust the user not to change that. I need something server-side for that
> user login.
>
> Mike
Reply to: