OpenSSH - tunnels (allow / deny) for single users

6 posts / 0 new
Last post
TH
Offline
Last seen: 11 years 2 days ago
Joined: 05.10.2009 - 14:14
OpenSSH - tunnels (allow / deny) for single users

Hi all,

I have a general question on OpenSSH concerning the way to allow / deny tunneling for users.

I know in OpenSSH I can allow tunneling of ports to IPs by defining the PermitOpen directive in sshd_config, for example:
PermitOpen 192.168.0.1:80 192.168.0.2:5900

But my question is: can I define something like rules that combine PermitOpen directives with users / groups?

Say I have two users: user A and user B.
User A should be allowed to access 192.168.0.1:80 only
User B should be allowed to access 192.168.0.2:5900 only

My question may sound silly to you but I really don't have any idea.

Thank you,
Thomas

TH
Offline
Last seen: 11 years 2 days ago
Joined: 05.10.2009 - 14:14
Solved ...

Hi all,

just to answer my question.

It's possible to include the PermitOpen directive in the User's public keyfile located on the OPenSSH server in the directory .ssh\authorized

You'd do this like this in authorized_keys
Permitopen="Target-IP:Target-Port",Permitopen="Target-IP:Target-Port" ssh-rsa User-private-key

According to my given example (1st posting):

User A)
permitopen="192.168.0.1:80" ssh-rsa AAAA-and-so-on-user_A-publickey

User B)
permitopen="192.168.0.2:5900" ssh-rsa BBBB-and-so-on-user_B-publickey

Addition: User C should be able to access IP1:80 and IP2:5900
permitopen="192.168.0.1:80",permitopen="192.168.0.2:5900" ssh-rsa CCCCC-and-so-on-user_C-publickey

Be aware if you include PermitOpen in authorized_keys you must also have a PermitOpen directive in your "global" sshd_config covering all different entries in users' authorized_keys (exception: no entry for PermitOpen in sshd_config is also possible as this wouldn't restsrict port forwarding or the other way round allows all IPs and all ports :-))).

So in my example: sshd_config (entries separated with blanks)
PermitOpen 192.168.0.1:80 192.168.0.2:5900

For me this works with OpenSSH server V 5.3 (CopSSH 3.01). But: no warranty!

And of course: for security reasons you'd restrict access to Home-Dirs, in a way users would be able to read only their own directories.

Regards,
Thomas

itefix
Offline
Last seen: 8 hours 40 min ago
Joined: 01.05.2008 - 21:33
You can also use 'match'

You can also use 'match' directive in sshd_config:

Match   Introduces a conditional block.  If all of the criteria on the
             Match line are satisfied, the keywords on the following lines
             override those set in the global section of the config file, un-
             til either another Match line or the end of the file.

             The arguments to Match are one or more criteria-pattern pairs.
             The available criteria are User, Group, Host, and Address.  The
             match patterns may consist of single entries or comma-separated
             lists and may use the wildcard and negation operators described
             in the PATTERNS section of ssh_config(5).

             The patterns in an Address criteria may additionally contain ad-
             dresses to match in CIDR address/masklen format, e.g.
             ``192.0.2.0/24'' or ``3ffe:ffff::/32''.  Note that the mask
             length provided must be consistent with the address - it is an
             error to specify a mask length that is too long for the address
             or one with bits set in this host portion of the address.  For
             example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively.

             Only a subset of keywords may be used on the lines following a
             Match keyword.  Available keywords are AllowAgentForwarding,
             AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
             GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
             KbdInteractiveAuthentication, KerberosAuthentication,
             MaxAuthTries, MaxSessions, PasswordAuthentication,
             PermitEmptyPasswords, PermitOpen, PermitRootLogin,
             RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
             X11Forwarding and X11UseLocalHost.

 

 

TH
Offline
Last seen: 11 years 2 days ago
Joined: 05.10.2009 - 14:14
Question concerning Match directive

Match User works fine with keyword PermitOpen, thank you for the suggestion.

Example:
Match User userA,userB
PermitOpen IP1:Port1 IP2:Port2

Match User userC
PermitOpen IP3:Port3

I only have to be aware of the fact that other users which are not covered by any of the Match directives are not restricted to open tunnels.

As CopSSH runs in Cygwin under Windows OSes and uses the Windows user management for authentication one might think groups are also possible.

But I have trouble with Match Group MyRecentlyCreatedUserGroup

Can I use Match Group at all?

itefix
Offline
Last seen: 8 hours 40 min ago
Joined: 01.05.2008 - 21:33
I am not exactly sure, but

I am not exactly sure, but you can experiment with the mkgroup command:

All groups recognized by the Copssh are in the etc/groups file. You can use the command mkgroup  <options> > /etc/group from a bash command prompt.

Make a backup copy before the operations. mkgroup --help gives information about the usage.

TH
Offline
Last seen: 11 years 2 days ago
Joined: 05.10.2009 - 14:14
Yeah, I already tried this

Yeah, I already tried this command yesterday which listed the IDs and tried to add a windows user group in the group file and add its ID to the users entry in the passwd file by manually editing the respective files (backup made before douing so, sure :-)))

I guess a user can belong to only one group when defined in passwd file (two entries separated by blank or comma didn't work)
USERNAME: PASSWORD: USER ID: GROUP ID: INFORMATION: HOME: SHELL

It seems to me it's necessary that a user is member of "users". If not (i.e. after editing the passwd file replacing group IDs - 545 is "users" with ID of newly generated grup), a putty session would be possible but immediately stopped after authentication. I guess this is due to user rights on CoppSSH's Windows dirs.

I think one could edit windows ACLs on the CopSSH dir but at this point things might become too complex. Especially when you think about future updates of CopSSH and you are not aware of having changed ACLs in the past.

So I stop my efforts at this point. Thank you for your help anyway.