securing a hop
Carl Karsten
carl at nextdayvideo.com
Sun Dec 29 15:06:35 AEDT 2019
for the A nat B C connect back to A using -R 2222:localhost:22 pattern,
(see diagram at https://github.com/daradib/sidedoor)
I want to limit B's user to just what is needed to do the port forward.
I am hoping this is documented, but I can't find much more than "you should
future out how to secre it."
I setup an ansible playbook to instal and configure sidedoor on A. I have
written some docs on securing B which is mostly:
1. append to /etc/ssh/sshd_config (user is from sidedoor.yml)
Match User {user}
MaxSessions 60
PasswordAuthentication no
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding yes
PermitTunnel no
PermitTTY no
Banner none
ForceCommand /bin/false
https://salsa.debian.org/debconf-video-team/ansible/merge_requests/184
Those options are from me reading the docs and collecting tips i found on
internet. A friend pointed out "be aware sftp is likely enabled."
Once I have something solid, hopefully someone can find a place for it to
live and projects like mine and sidedoor can reference it.
--
Carl K
More information about the openssh-unix-dev
mailing list