securing a hop

Stuart Henderson stu at spacehopper.org
Mon Dec 30 06:32:00 AEDT 2019


On 2019/12/28 22:06, Carl Karsten wrote:
> for the A nat B C connect back to A using -R 2222:localhost:22 pattern,
> (see diagram at https://github.com/daradib/sidedoor)
> I want to limit B's user to just what is needed to do the port forward.
> 
> I am hoping this is documented, but I can't find much more than "you should
> future out how to secre it."
> 
> I setup an ansible playbook to instal and configure sidedoor on A. I have
> written some docs on securing B which is mostly:
> 
> 1. append to /etc/ssh/sshd_config (user is from sidedoor.yml)
> Match User {user}
>     MaxSessions 60
>     PasswordAuthentication no
>     ChrootDirectory %h
>     X11Forwarding no
>     AllowTcpForwarding yes

AllowTcpForwarding also accepts local/remote to add restrictions, and/or
you can set PermitOpen to restrict which address/ports can be forwarded.

>     PermitTunnel no
>     PermitTTY no
>     Banner none
>     ForceCommand /bin/false

Others seem sane.

> https://salsa.debian.org/debconf-video-team/ansible/merge_requests/184
> 
> Those options are from me reading the docs and collecting tips i found on
> internet.  A friend pointed out "be aware sftp is likely enabled."

ForceCommand prevents running the sftp server process.

> Once I have something solid, hopefully someone can find a place for it to
> live and projects like mine and sidedoor can reference it.



More information about the openssh-unix-dev mailing list