0

I've looked around Google for a solution to this problem and I may be horribly over-complicating it.

All I'm looking for is a way to automatically forward certain ports as soon as a user logs in.

Basically, I'm working on a website which serves as a portal to different server-software running on the host. I want to create a limited number of SSH users with heavy restrictions; the only point of them having an account is to forward ports.

The question I have is whether it's possible for me to setup some configuration option in SSH so that whenever one of these restricted users log-in, they automatically have a number of host ports forwarded to them.

The idea here is that the website I'm making just has a list of URLs pointing to http://localhost:PORTS. I looked into "EscapeChar" and I suppose I could setup a script that forwards the ports by using something similar to, "~C-L PORT:localhost:PORT".

Is there something more simple? Am I missing something here?

AvaMango
  • 11
  • 2
  • 1
    I don't think there will be a straight out of the box option. I think you might want to write a hook for ssh that checks when someone successfully logs in and then automatically loads some iptable rules. – Lucas Kauffman Jan 10 '12 at 21:01
  • If the only purpose of SSH is to create TCP forwards to HTTP services running on localhost, you're probably better off if you leave out SSH and deploy SSL with client certificate validation instead. – unixtippse Jan 11 '12 at 16:23

2 Answers2

1

I don't believe you can do anything on the server side to forward ports. I am pretty sure you need the client to setup the port forwarding.

The SSH client tunnels can be pretty easily configured in the client configuration.

If you wish to limit users to a certain command and certain ports they can request open, then you can use the command and permitopen option in the authorized_keys file. See the sshd man page for details.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
0

I don't entirely understand what you want, but if you are using public key encryption, perhaps you could use the command="xxxx" parameter to a public key. See man sshd for details on this.

Alternately, there is the ssh -f command (plus appropriate other options) to put the ssh in the background, but it doesn't sound like that would be what you want.

You might also want to examine PAM. You could use PAM to trigger a command on login specific to SSH. See man pam for more details.

However, as someone said, there probably isn't a way for the server to forward ports.

What if you configured the SSH client's .ssh/config file to create a forward when used? Probably don't have local shells I imagine...

Mei
  • 4,590
  • 8
  • 45
  • 53