Re: limit certain ports to be forwarded through ssh account..
On Sun, Oct 15, 2006 at 10:47:58PM +0200, Eric Persson wrote:
> I'm interested in allowing a few selected users forward their imap/smtp
> traffic over ssh. But I also want to prevent them from doing anything
> but that, they shouldnt be able to forward any ports, or get a shell at
> all, just some certain predefined ports.
> Is this possible with openssh or any other sshd?
It's not really clear in what context you want to set this up. I'll
assume that you have a bunch of users on client machines that can't
access the outside world, and a server running sshd that they could
potentially ssh to and then use port forwarding to access the world.
You could prevent them getting shell access by replacing their default
shell with a program that will do nothing, but sit and wait for them to
exit.
To limit access to the server, you could use 'AllowUsers' keyword in
sshd_config, specifying only those users who you wish to access it.
iptables rules could then be put on the server, to restrict the ports
which can be reached. Bear in mind, however, that one of your users
could easily set up their own server outside your network and then put
any service they like on one of those open ports, to work around your
restrictions.
Cheers,
Paul
--
Paul Dwerryhouse | PGP Key ID: 0x6B91B584
========================================================================
A look at Ubuntu Server Edition:
http://nepotismia.com/review/ubuntu/server/6.06/
Reply to: