RE: SSH Tunneling without console login

From: Joseph Spenner (joseph85750_at_yahoo.com)
Date: 11/26/05

  • Next message: John Maher: "Re: SSH Tunneling without console login" 
    Date: Fri, 25 Nov 2005 17:29:26 -0800 (PST)
To: Jesse <lowbass@gmail.com>, peter@rz-zw.fh-kl.de

    Another approach is to make the target system account
    not have a standard shell. Instead, the target system
    has a script that simply says/loops through a print
    statement upon connection:

    "You are connected to the system. Hit ctrl-c to close
    this connection"

    Perhaps a sleep 30, then print again (for keepAlive
    purposes).

    So, in your target system you'd set up a special
    account just for this purpose. The entry in your
    /etc/passwd might be something like:

    fooman:x:1000:100::/home/fooman:/home/fooman/loopit.sh

    You can also get clever in your authorized_keys so
    that the client can only make specific port redirects.

    --- Jesse <lowbass@gmail.com> wrote:

    > Hi,
    >
    > My problem is this:
    > I'm using the remote forwarding command on PC1. (So
    > that a port on PC2 is
    > forwarded to a port on PC1.) Remote forwarding works
    > fine, but unwanted is
    > that the command will also login onto PC2. Unwanted
    > because PC1 is not fully
    > under my control (but PC2 is), so people on PC1 can
    > find out about how to
    > log into PC2 by looking at PC1 and get a shell
    > prompt.
    >
    > At the moment I fixed this using Bitvise WinSSHD
    > (Win32 SSH server
    > software). This program has an option called "Permit
    > terminal shell: No".
    > Using this will cause the command to authenticate,
    > but after that it will
    > not give a shell prompt, only a black screen.
    >
    > So using that account of WinSSHD, people will able
    > to authenticate, but will
    > not be able to login in the shell.
    > But when using an account of OpenSSH, people will
    > also be able to login in
    > the shell, which is unwanted. I only need SSH
    > tunneling, but not SSH shell
    > login.
    >
    > Of course I can use WinSSHD, but I'm looking for a
    > solution using OpenSSH.
    >
    > Regards,
    >
    > Jesse
    >
    > -----Oorspronkelijk bericht-----
    > Van: Thorsten Peter [mailto:peter@rz-zw.fh-kl.de]
    > Verzonden: vrijdag 25 november 2005 18:22
    > Aan: Jesse
    > CC: secureshell@securityfocus.com
    > Onderwerp: Re: SSH Tunneling without console login
    >
    > hey,
    >
    > well you won't be able to open ssh tunnels, no
    > matter what without
    > logging in to the server. that's the way it works.
    > i am not sure what your point is. maybe you wanna
    > try what i do for
    > tunneling purposes, i login to the remote server
    > with the following command:
    >
    > ssh -fN user@remotehost -L
    > localport:targetip:targetport (in your case
    > -R for remote forwarding)
    >
    > -f forces ssh to go into background.
    > -N makes it stop executing other commands (for
    > tunneling purposes only)
    >
    > so what it does, it logs in to your remote server,
    > as a background
    > process. you can then just leave it running, log out
    > of your local
    > shell, or do whatever your want. but still you DO
    > login to the remote
    > console. just that you don't have the ssh login
    > running as a foreground
    > process.
    >
    > regards
    >
    > Thorsten
    >
    > Jesse wrote:
    > > Question:
    > > Is it possible to use remote port forwarding
    > (tunneling) without having to
    > > login on the console?
    > >
    > > Situation:
    > > I have a server (PC1) which is running a SSH
    > service behind a firewall. I
    > do
    > > NOT have any control over the firewall, but I do
    > want to access the SSH
    > > service of PC1 from PC2 over the Internet.
    > >
    > > Solution for the situation:
    > > I'm using the following command on PC1 to let PC1
    > make a SSH-tunnel to PC2
    > > ssh -R 4000:localhost:22 account@PC2
    > > And I have installed a SSH service on PC2 to make
    > tunneling possible.
    > >
    > > Same question in detail:
    > > When I use the command above, it will make the
    > tunnel, but I will also
    > make
    > > PC1 login on the console of PC2. That last step is
    > something I do not
    > want.
    > > PC1 should only make the tunnel to PC2, but should
    > NOT login on the
    > console
    > > of PC2.
    > > Is this possible?
    > >
    > >
    > > -Jesse
    > >
    > >
    > >
    > >
    >
    >

                    
    __________________________________
    Yahoo! Music Unlimited
    Access over 1 million songs. Try it free.
    http://music.yahoo.com/unlimited/

  • Next message: John Maher: "Re: SSH Tunneling without console login"

    Relevant Pages

    • Re: blocking ssh shell but allowing sftp
      ... > upload files over ssh but is NOT allowed to login over ssh into a unix ... Just set the shell to be a dummy shell. ...
      (comp.security.ssh)
    • Re: Initialization script and ssh
      ... preventing to reset $PATH while you login via ssh. ... it should be easier/faster then recompiling ssh. ... instead of a login shell. ...
      (comp.os.linux.networking)
    • Re: SSH Problem on Solaris 9
      ... I have a fresh install of Solaris9 and have enabled the root user to login ... My problem is if I change the root user's shell from sh to bash, ... I'm denied login using ssh unless I change it back to sh. ...
      (comp.unix.solaris)
    • Re: non-login sftp user?
      ... but cannot use ssh to login to a shell (as well as keep them locked ... are some source hacks you can do but from the hacks I've read, ...
      (RedHat)
    • Re: Learning Lisp
      ... I compared VNC to SSH. ... Some programs can work only over VNC or a similar protocol, so I had a chance to compare these approaches. ... Let's say I need to check access rights on file /home/foo/bar.txt on server quux. ... This is what I would call 'doing it myself' -- I think of something, translate it to shell language, type and get results. ...
      (comp.lang.lisp)