ssh: We pull out a foreign port for ourselves because of NAT
What ssh -R © erik, unix.stackexchange.com does
Connect to the service for NAT, having a person next to the service, armed with ssh, and a white ip at home.
Option -r
In ssh, there is a mode in which it opens a port on the server and, through the tunnel from the server to the client, redirects connections to the specified address on the client’s network.
')
That is, we need to raise sshd, ask the person to perform
$ ssh -N -R server_port: target: target_port sshd_server
And on our machine with sshd, the server_port port will open, which will be tunneled into the target: target_port network of this person.
How to restrict rights in sshd_config
ForceCommand echo "no shell access is given"
If this option is set, then the specified command will be executed instead of any one sent by the client (usually the client starts the shell).
Since scp works through the [built-in] sftp command, copying files will also be closed.
The tunneling (forvarding) still works.
AllowTcp Forwarding remote
Allows tcp tunneling modes:
- local (-L option in ssh) - open a port on the client and redirect connections to the address specified by the client on the server’s network
- remote (option -R) - open a port on the server and tunnel connections to the address specified by the client in its network
- all or yes - allows both local and remote
- no - disable tcp tunnels
Match
As usual, the above options can be put in a section, for example, Match User tunnel , and they will be valid only for connections that authenticate as this user. (ssh ... tunnel @ sshd_server)
Put sshd_config at the end and remember to create the user tunnel
Match user tunnel
ForceCommand echo "no shell access is given"
AllowTcp Forwarding remote
# in case we have globally installed otherwise:
X11 Forwarding no
PermitTunnel no It would also be good to limit the ports that the client can occupy on the server, but this is not possible without sshd patches.
It is more convenient and without root
I want to solve the problem in the spirit of netcat: do not touch the system sshd, do not create new users and do not run demons.
sshd can be run without root, if you make a separate config and disable several options. (However, it will not be able to accept users other than the one with which it was launched). You also need to specify a separate HostKey and a separate PidFile.
There will be an authentication problem. Since sharing your own system password (and we are not going to create a separate user) with clients is wrong, you need to leave only key authentication and specify a separate file with them.
In addition, the resulting sshd is convenient to run without demonization and with a log to the console in order to follow how tunnels are created.
Ready script: start user sshd, limited to the creation of tunnels .
Source: https://habr.com/ru/post/249515/
All Articles