securing a hop
Stuart Henderson
stu at spacehopper.org
Mon Dec 30 06:32:00 AEDT 2019
On 2019/12/28 22:06, Carl Karsten wrote:
> for the A nat B C connect back to A using -R 2222:localhost:22 pattern,
> (see diagram at https://github.com/daradib/sidedoor)
> I want to limit B's user to just what is needed to do the port forward.
>
> I am hoping this is documented, but I can't find much more than "you should
> future out how to secre it."
>
> I setup an ansible playbook to instal and configure sidedoor on A. I have
> written some docs on securing B which is mostly:
>
> 1. append to /etc/ssh/sshd_config (user is from sidedoor.yml)
> Match User {user}
> MaxSessions 60
> PasswordAuthentication no
> ChrootDirectory %h
> X11Forwarding no
> AllowTcpForwarding yes
AllowTcpForwarding also accepts local/remote to add restrictions, and/or
you can set PermitOpen to restrict which address/ports can be forwarded.
> PermitTunnel no
> PermitTTY no
> Banner none
> ForceCommand /bin/false
Others seem sane.
> https://salsa.debian.org/debconf-video-team/ansible/merge_requests/184
>
> Those options are from me reading the docs and collecting tips i found on
> internet. A friend pointed out "be aware sftp is likely enabled."
ForceCommand prevents running the sftp server process.
> Once I have something solid, hopefully someone can find a place for it to
> live and projects like mine and sidedoor can reference it.
More information about the openssh-unix-dev
mailing list