From 4c46efff3391dece112b0f687d73b901868cb41e Mon Sep 17 00:00:00 2001
From: Florz <florz@florz.net>
Date: Thu, 18 Feb 2021 22:23:55 +0100
Subject: [PATCH] add user account

---
 README.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f35d1c7..d3843bc 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,7 @@ When you follow this guide, you can make otherwise protected services accessible
 When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).
 
 ## Server configuration
+First become root through `sudo su -` or `su -`.
 
 ### `/etc/ssh/sshd_config`
 
@@ -20,4 +21,21 @@ GatewayPorts clientspecified
 ClientAliveInterval 5
 ClientAliveCountMax 3
 ```
-This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
\ No newline at end of file
+This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
+
+### special user account
+
+on debian you can run the following:
+```
+adduser ssh-port-forwarding --system
+su ssh-port-forwarding -s '/bin/bash' -c 'mkdir ~/.ssh/; chmod 700 ~/.ssh/; touch ~/.ssh/authorized_keys'
+```
+
+`/etc/passwd` should look similar to this:  
+`ssh-port-forwarding:x:1001:65534::/home/ssh-port-forwarding:/usr/sbin/nologin`  
+and `ls -lsha ~ssh-port-forwarding/.ssh/` should look like this:  
+```
+4,0K drwx------ 2 ssh-port-forwarding nogroup 4,0K 18. Feb 22:18 .
+4,0K drwxr-xr-x 3 ssh-port-forwarding nogroup 4,0K 18. Feb 22:18 ..
+   0 -rw-r--r-- 1 ssh-port-forwarding nogroup    0 18. Feb 22:18 authorized_keys
+```
\ No newline at end of file