securing a hop
Carl Karsten
carl at nextdayvideo.com
Mon Dec 30 09:22:56 AEDT 2019
On Sun, Dec 29, 2019 at 1:32 PM Stuart Henderson <stu at spacehopper.org>
wrote:
> On 2019/12/28 22:06, Carl Karsten wrote:
> > for the A nat B C connect back to A using -R 2222:localhost:22 pattern,
> > (see diagram at https://github.com/daradib/sidedoor)
> > I want to limit B's user to just what is needed to do the port forward.
> >
> > I am hoping this is documented, but I can't find much more than "you
> should
> > future out how to secre it."
> >
> > I setup an ansible playbook to instal and configure sidedoor on A. I have
> > written some docs on securing B which is mostly:
> >
> > 1. append to /etc/ssh/sshd_config (user is from sidedoor.yml)
> > Match User {user}
> > MaxSessions 60
> > PasswordAuthentication no
> > ChrootDirectory %h
> > X11Forwarding no
> > AllowTcpForwarding yes
>
> AllowTcpForwarding also accepts local/remote to add restrictions, and/or
> you can set PermitOpen to restrict which address/ports can be forwarded.
>
oh this brings up something I want to address: which I'm not sure the terms
to use to describe, so bear with me.
I want the A-B connection to only allow a port on B to be forwarded back to
A.
The server should enforce this as I can't control what happens with A or
the key pair used.
If that isnt clear:
A,B,C are hostnames, user and admin are usernames.
user's private key is on A and public key is on B - that's how the A to B
connection is made:
user at A:$ ssh -R 2222:localhost:22 user at B
admin connects form C to B to A using admin's keys.
I'm assuming user's keys will be taken. (don't have physical security on A,
trying to do that is too hard)
what I don't want is: user keys are taken home to box D, D connects to B
and used B as a open proxy.
>
> > PermitTunnel no
> > PermitTTY no
> > Banner none
> > ForceCommand /bin/false
>
> Others seem sane.
>
> > https://salsa.debian.org/debconf-video-team/ansible/merge_requests/184
> >
> > Those options are from me reading the docs and collecting tips i found on
> > internet. A friend pointed out "be aware sftp is likely enabled."
>
> ForceCommand prevents running the sftp server process.
>
>
Specifying a command to prevent all commands seems sloppy.
It seems like it needlessly exposes an attack surface.
Shouldn't there be a "don't allow commands" option?
> > Once I have something solid, hopefully someone can find a place for it to
> > live and projects like mine and sidedoor can reference it.
>
>
--
Carl K
More information about the openssh-unix-dev
mailing list