Re: SSH Tunneling without console login
From: Richard E. Silverman (res_at_qoxp.net)
Date: 11/25/05
- Previous message: simon_l_evans_at_yahoo.co.uk: "Re: OpenSSH environment passing"
- In reply to: Jesse: "Re: SSH Tunneling without console login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Nov 2005 19:21:25 -0500
>>>>> "Jesse" == Jesse <"do not spam"> writes:
Jesse> I'm looking for an option on the SSH-Tunnel-server (PC2) side,
Jesse> not on the SSH-Tunnel-client side (PC1). This because PC1 is
Jesse> not fully under my control, but PC2 is.
Jesse> Is there also an option like -N for SSHD somehow? I could not
Jesse> find such.
So you want to have the server allow tunneling-related channels in the
connection protocol, but deny shell and exec channels? OpenSSH does not
have this level of granularity, though some SSH servers do (e.g. VShell by
VanDyke). I think the best you can do is prevent *useful* shell/command
channels by either making the shell a restrictive program, or enforcing a
useless remote command (e.g. /bin/false) using the command= option in
authorized_keys (assuming you allow only publickey authentication).
Note that you may not want to make the shell completely useless (e.g. also
/bin/false), since sshd uses the shell for all programs run on the
client's behalf, e.g. xauth in support of X forwarding.
-- Richard Silverman res@qoxp.net
- Previous message: simon_l_evans_at_yahoo.co.uk: "Re: OpenSSH environment passing"
- In reply to: Jesse: "Re: SSH Tunneling without console login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
