Most secure settings for user dedicated for SSH Tunnel

Question

Due to security reasons, I have created a user on my remote VPS only to use it for SSH tunneling. My local PC goes in hands of many others which scares me because I need to leave that SSH session open. So, I want to lock this user (on server) so that others couldn't do anything other than SSH tunneling (even if password gets compromised). With this user, I only want to login (with password) & do SSH tunneling.. nothing more!
Can you please help?

@ChrisS oh sorry.. I was on my friend's PC. By mistake, I used the browser in which he logged in. So, you might have encountered same flag message from two accounts. — , Feb 17 '12 at 17:33
This question seems like it might be useful: http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding — mwfearnley, Apr 11 '17 at 16:00

Zoredache · Answer 1 · 2012-02-16T00:10:00.803

3

Presumably, you use an SSH key to authenticate as that user.

In the .ssh/authorized_keys you can set options about what things that user can do. For example you could set the no-pty, no-X11-forwarding options to prevent the user from getting a shell or doing any X11 forwarding. See the sshd man page for a full list of options.

If you are not using key-based authentication, and your server is running a fairly recent version of OpenSSH, then use the Match user option combined with the options to block access, and force a command that does nothing. See man sshd_config.

Match user username
    AllowTcpForwarding yes
    X11Forwarding no
    ForceCommand /bin/cat

edited Feb 16 '12 at 00:10

answered Feb 15 '12 at 23:45

Zoredache

130,897
41
276
420

By login, I meant login with password. SSH key based authentication doesn't work with SSH Tunnel app of Android. – Feb 15 '12 at 23:51
2

Really? What a *less than useful* application. – Zoredache Feb 15 '12 at 23:53
2

Instead of /bin/cat, you want http://www.mariovaldez.net/software/sleepshell/ – wfaulk Feb 16 '12 at 00:12

score 0 · Answer 2 · answered Feb 15 '12 at 23:52

0

You could set up the initial SSH session/tunnel without RSA keys and the -L (bind forwarded address to local address) and -N command (do not execute any commands) ie:

ssh -L local port:webaddress:port -N

so in your case, since you're forwarding SSH, it might look like...

ssh -L 22:webaddress:22 -N

This should set you up with the forward, without setting up a session.

some light watching and reading on this.

answered Feb 15 '12 at 23:52

qweet

731
5
11

But, its not server-side solution. If my password gets compromised, it can't help. Notice, I have added dedicated user for this task. – Feb 16 '12 at 00:00

Most secure settings for user dedicated for SSH Tunnel

2 Answers2