stdio to port forward?
Damien Miller
djm at mindrot.org
Mon May 24 19:41:40 EST 2004
Dan Kaminsky wrote:
> A user cannot configure their public keys with a server w/o access to
> some sort of shell. Another reason to support a pubkey subsystem -- we
> also get to avoid homegrown PHP flying around the file system with root
> permissions updating authorized_keys files and getting away with it
> because "ssl makes it se-kure" :-)
An alternative would be to just make the user's shell a script that does
"nc host 22", but then you lose some ability to control destinations.
> Also, an obvious disadvantage of the system below is that the client
> can't direct its final destination. That makes it a no-go for most
> bastion uses (what are you going to use -- a separate account for each
> destination? A separate port?).
In the past I have used either a separate key or a separate account.
All of the SSH bastion/proxies that I have configured have only allowed
access to relatively small number of hosts, I'm sure that others will
have other needs.
-d
More information about the openssh-unix-dev
mailing list