[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing local host of reverse SSH tunnel?



>Ideally, this restriction should be based on
the public key of the pair but I've not seen in sshd_config(5) a way for
the Match directive to use the public key as its trigger

Not an expert but did you look at the certificate based authentication? You can define your own certificate authority and allow only the certificates signed (it's a public key) by your ca can to connect to your ssh server.

1 - Generate a key pair for the ca ( and another for he remote user)

ssh-keygen -t rsa -b 4096 -f ~/.ssh/ca -m PEM

2- Sign the public key of the user
ssh-keygen -s ca \
-I <user-name> \
-V 20191220:20201220 \
user_key.pub
<user-name> will be logged on your server everytime a connection is opened with user_key.pub. -v stands for key validity.

3 - Allow on your LAN (ssh server)

TrustedUserCAKeys /secure/permission/ca.pub


This means, any certificate signed with this ca will be granted access to your server. Of course you can restrict what the users whose login is allowed (particularly prevent root login 😂).

Note: using the certificate based authentication, you can even choose what kind of features are allowed to be used with a particular certificate. a k.a AllowX11Forward and many more. Maybe a good reading of ssh doc may provide you an better approach for your use case. ssh(1)

Hope this will help.



Reply to: