Florz
/
ssh-port-forwarding
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add user account

This commit is contained in:
Florz 2021-02-18 22:23:55 +01:00
parent d7cd5dc5a2
commit 4c46efff33
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -11,6 +11,7 @@ When you follow this guide, you can make otherwise protected services accessible
When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).
## Server configuration
First become root through `sudo su -` or `su -`.
### `/etc/ssh/sshd_config`
@ -20,4 +21,21 @@ GatewayPorts clientspecified
ClientAliveInterval 5
ClientAliveCountMax 3
```
This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
### special user account
on debian you can run the following:
```
adduser ssh-port-forwarding --system
su ssh-port-forwarding -s '/bin/bash' -c 'mkdir ~/.ssh/; chmod 700 ~/.ssh/; touch ~/.ssh/authorized_keys'
```
`/etc/passwd` should look similar to this:
`ssh-port-forwarding:x:1001:65534::/home/ssh-port-forwarding:/usr/sbin/nologin`
and `ls -lsha ~ssh-port-forwarding/.ssh/` should look like this:
```
4,0K drwx------ 2 ssh-port-forwarding nogroup 4,0K 18. Feb 22:18 .
4,0K drwxr-xr-x 3 ssh-port-forwarding nogroup 4,0K 18. Feb 22:18 ..
0 -rw-r--r-- 1 ssh-port-forwarding nogroup 0 18. Feb 22:18 authorized_keys
```