I am looking into implementing SSH tunneling as a cheap VPN solution for outside users to access Intranet-only facing web applications.
I currently am using Ubuntu Server 10.04.1 64 bit with OpenSSH installed.
I am using Putty on Windows boxes to create a tunnel on a local port to my ssh server.
start putty -D 9999 mysshserver.com -N
I then use tell Firefox to use a SOCKS proxy on localhost:9999.
The -N flag will disable the interactive shell from the client side. Is there a way to do this on the server side?
Besides disabling root access, using rsa key authentication, and changing the default port; are there any other obvious security practices I should follow for this purpose? My goal is to simply be able to tunnel web traffic.
After four years this answer deserved an update. While originally I used
authorized_keysmyself and would probably use it still in some select cases, you can also use the centralsshd_configserver configuration file.sshd_config
You can designate (for your particular use case) a group, such as
proxy-onlyorMatchindividual users. Insshd_config. This is done after the global settings and revokes, repeats or refines some of the settings given in the global settings.Note: some of the syntax/directives used in
sshd_config(5)are documented in themanpage forssh_config(5). In particular make sure to read the PATTERNS section ofssh_config(5).For a group this means your
Matchblock would begin like this:You can
Matchthe following criteria:User,Group,Host,LocalAddress,LocalPortandAddress. To match several criteria simply comma-separate the criteria-pattern pairs (group proxy-onlyabove).Inside such a block, which is traditionally indented accordingly for brevity (but needn't to), you can then declare the settings you want to apply for the user group without having to edit every single
authorized_keysfile for members of that group.The
no-ptysetting fromauthorized_keyswould be mirrored by aPermitTTY nosetting andcommand="/sbin/nologin"would becomeForceCommand /sbin/nologin.Additionally you can also set more settings to satisfy an admin's paranoia, such as
chroot-ing the user into his home folder and would end up with something like this:(check yourself whether you need or want the commented out lines and uncomment as needed)
The
%his a token that is substituted by the user's home directory (%uwould yield the user name and%%a percent sign). I've foundChrootDirectoryparticularly useful to confine mysftp-onlyusers:Please mind that only certain directives can be used in a
Matchblock. Consult themanpagesshd_config(5)for details (search forMatch).authorized_keys
NB: the part below this remark was my original answer. Meanwhile - but it also depends on the features of your exact
sshdversion - I would go for the method described above in most cases.Yes you can, as fine-grained as you can assign public keys. In addition to nologin as recommended by ajdecon, I would suggest setting the following in front of the key entry in
authorized_keys:The no pty tells the server-side that no pseudo-terminal should be allocated for that key.
You can also force the execution of something like nologin for a particular key by prepending this:
For any tunnelling-only user, change their login shell to /sbin/nologin. That way your user will be unable to access a shell on the server, but will still be able to run set up ssh tunnels from their client.
In case you are ready to give up user/pass authentication and use keys for logging in, you can specify parameters to each public key.
Notable parameters are:
and
and finally
With these you can pretty much restrict the user of that particular key pair what (s)he can do with the SSH session.
It would look like this:
I know this may not be the answer you're looking for, but have you considered using OpenVPN as an alternative?
I recommend trying Tunnelier. It's a heck of a lot easier to configure/manage.