Title: Create a dedicated user for ssh tunneling only | |
Author: Solène | |
Date: 17 April 2019 | |
Tags: openbsd ssh | |
Description: | |
I use ssh tunneling A LOT, for everything. Yesterday, I removed the | |
public access of my IMAP server, it's now only available through ssh | |
tunneling to access the daemon listening on localhost. I have plenty | |
of daemons listening only on localhost that I can only reach through a | |
ssh tunnel. If you don't want to bother with ssh and redirect ports you | |
need, you can also make a VPN (using ssh, openvpn, iked, tinc...) | |
between your system and your server. I tend to avoid setting up VPN for | |
the current use case as it requires more work and more maintenance than | |
running ssh server and a ssh client. | |
The last change, for my IMAP server, added an issue. I want my phone | |
to access the IMAP server but I don't want to connect to my main | |
account from my phone for security reasons. So, I need a dedicated | |
user that will only be allowed to forward ports. | |
This is done very easily on OpenBSD. | |
The steps are: | |
1. generate ssh keys for the new user | |
2. add a user with no password | |
3. allow public key for port forwarding | |
**Obviously, you must allow users (or only this one) to make port | |
forwarding in | |
your sshd_config**. | |
### Generating ssh keys | |
Please generate the keys in a safe place, using | |
[ssh-keygen](https://man.openbsd.org/ssh-keygen) | |
$ ssh-keygen | |
Generating public/private rsa key pair. | |
Enter file in which to save the key (/home/user/.ssh/id_rsa): | |
Enter passphrase (empty for no passphrase): | |
Enter same passphrase again: | |
Your identification has been saved in /home/user/.ssh/id_rsa. | |
Your public key has been saved in /home/user/.ssh/id_rsa.pub. | |
The key fingerprint is: | |
SHA256:SOMETHINGSOMETHINSOMETHINSOMETHINSOMETHING user@myhost | |
The key's randomart image is: | |
+---[RSA 3072]----+ | |
| | | |
| ** | | |
| * ** . | | |
| * * | | |
| **** * | | |
| **** | | |
| | | |
| | | |
| | | |
+----[SHA256]-----+ | |
This will create your public key in ~/.ssh/id_rsa.pub and the private | |
key in | |
~/.ssh/id_rsa | |
### Adding a user | |
On OpenBSD, we will create a user named **tunnel**, this is done with | |
the | |
following command as root: | |
# useradd -m tunnel | |
This user has no password and can't login on ssh. | |
### Allow the public key to port forward only | |
We will use the **command** restriction in the **authorized_keys** file | |
to | |
allow the previously generated key to only forward. | |
Edit **/home/tunnel/.ssh/authorized_keys** as following | |
command="echo 'Tunnel only!'" ssh-rsa PUT_YOUR_PUBLIC_KEY_HERE | |
This will tell "Tunnel only" and abort the connection if the user | |
connects and | |
with a shell or a command. | |
### Connect using ssh | |
You can connect with [ssh(1)](https://man.openbsd.org/ssh.1) as usual | |
but you | |
will require the flag **-N** to not start a shell on the remote server. | |
$ ssh -N -L 10000:localhost:993 tunnel@host | |
If you want the tunnel to stay up in the most automated way possible, | |
you can | |
use **autossh** from ports, which will do a great job at keeping ssh | |
up. | |
$ autossh -M 0 -o "ExitOnForwardFailure yes" -o | |
"ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "TCPKeepAlive | |
yes" -N -v -L 9993:localhost:993 tunnel@host | |
This command will start autossh, restart if forwarding doesn't work | |
which is | |
likely to happens when you lose connectivity, it takes some time for | |
the remote | |
server to disable the forwarding effectively. It will make a keep alive | |
check | |
so the tunnel stays up and ensure it's up (this is particularly useful | |
on | |
wireless connection like 4G/LTE). | |
The others flags are also ssh parameters, to not start a shell, and for | |
making | |
a local forwarding. Don't forget that as a regular user, you can't bind | |
on | |
ports less than 1024, that's why I redirect the port 993 to the local | |
port | |
9993 in the example. | |
### Making the tunnel on Android | |
If you want to access your personal services from your Android phone, | |
you can | |
use **ConnectBot** ssh client. It's really easy: | |
1. upload your private key to the phone | |
2. add it in ConnectBot from the main menu | |
3. create a new connection the user and your remote host | |
4. choose to use public key authentication and choose the registered | |
key | |
5. uncheck "start a shell session" (this is equivalent to -N ssh flag) | |
6. from the main menu, long touch the connection and edit the forwarded | |
ports | |
Enjoy! |