Hi All. I am going to be deploying a Debian system at a location where I am unsure if I can make any inbound connection into that system. I am going to set up an SSH tunnel from that system to a host in my LAN. What I am concerned about is the remote possibility of theft and therefore exposing my LAN to an inbound connection where a shell prompt can be obtained. I will be setting up a private/public key pair. My plan is to SSH into the internal host and then initiate an SSH connection to the defined port and ultimately log into the remote system. The site is physically secure, but ... While I understand that at the remote end I can instruct the SSH client not to request a pseudo tty, if a thief has the private key, all he needs to do is initiate a connection and get a shell prompt on my internal host (due to being run from a startup script, the private key cannot be password protected, or can it?). What I would like to do is in some way configure the ssh daemon on my internal host to not allow any access other than allocating the port for the reverse connection. Ideally, this restriction should be based on the public key of the pair but I've not seen in sshd_config(5) a way for the Match directive to use the public key as its trigger. If there is another way, I've yet to find it. TIA - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
Attachment:
signature.asc
Description: PGP signature