Hi everyone.

I would like to configure OpenSSH that way, that user can login only
using keys and he can only for example tunnel one port from local
machine to remote.

It is possible - if yes - how (where can I find information about
that)?

Details:

HOST ----- INTERNET ---- SERVER with SSH

Now, HOST should have access to SERVER only by keys (not interactive)
etc, and it would like to make port tunelling.

For example:
HOST:3306 ---- Remote 3306 (MySQL) - so it will connect to remote
MySQL by crypted tunnell - but not other access should be given.

Marcin Praczko.

On 2007-09-04, marcin.praczko@googlemail.com <marcin.praczko@googlemail.com> wrote:
> I would like to configure OpenSSH that way, that user can login only
> using keys and he can only for example tunnel one port from local
> machine to remote.
>
> It is possible - if yes - how (where can I find information about
> that)?

Both of those things are possible with OpenSSH.

There's 2 ways to do it. The first method ("Match") needs a recent
version (4.6 or the just-released 4.7) but is relatively easy to set up.
The second (key restrictions in authorized_keys) will work with pretty
much any version, but requires some care to prevent the user from
subverting it.

First, you can apply directives on a per-user or per-host basis by using
the "Match" directive in sshd_config. Any directives following a Match
apply only to connections that meet the specified criteria.

Next, you can control which authentications are offered by way of the
*Authentication directives. To allow only public keys, set all of the
other authentications that are enabled to "no" after the Match.

Lastly, you can control where a user can sent port forwards to via the
PermitOpen directive.

These are all described in the sshd_config(5) man page.

Putting it all together, you would end up with something like this at
the bottom of sshd_config:

Match User someuser
PubkeyAuthentication yes
PasswordAuthentication no
# maybe some other authentications too, depending on what's enabled
PermitOpen mysqlserver:3306

Restart sshd and that should do it.

If you wanted to restrict it to just one host you could do that by making
the Match line more specific, eg:

Match User someuser Host somehost

Just remember:

a) using a hostname runs the risk of someone tampering with DNS, so use
"Match Address" instead if possible.

b) The *first* Match that matches overrides the default, but subsequent
matches do not, and this happens for each directive in isolation. So,
if you wanted to allow "someuser" to use pubkey from only one host while
allowing all other users to use pubkey from anywhere, you would need
something like this:

PubkeyAuthentication yes
Match User someuser Host somehost
PubkeyAuthentication yes
Match User someuser
PubkeyAuthentication no


The second method (key restrictions in authorized_keys) works for version
older than 4.6. See the sshd(8) man page and look for "permitopen="
and "from=". You will also have to take steps to make sure that the
user can't edit the authorized_keys file.

The only way to prevent the user from using password authentication is
to either edit the password file and set an invalid password string,
or set a strong password and don't tell the user what it is.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.