Hi! The current version of sshd allows to restrict keys to issue only specific commands. However, port forwarding can only be forbidden entirely. Given the following situation: A client C uses S as a POP3 server. We want to poll E-Mail via POP3 from S to A via an ssh tunnel without being asked for a password. Thus, we create a passphrase-less key pair on A, transmit the public key to S and insert it into ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep the connection open while the poll is doing through via a forwarded port. That way, one taking posession of the private key can "only" use S for arbitrary port forwards and do not have shell access to S. I feel it would be desireable to restrict a key to "only do port forwards to localhost:110". Would it be possible to have something like that implemented in a future release? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
i hope what you suggest gets implemented, as i've been wanting similar functionality for a while now. however, i was under the impression that Damien felt that new features should be added to the "upstream" openbsd version first. please see the following messages for reference: Message-Id: <19991218114559I.1000 at eccosys.com> Message-Id: <Pine.LNX.4.10.9912212131240.1077-100000 at mothra.mindrot.org> Message-Id: <20000303172656J.1000 at eccosys.com> Message-ID: <Pine.LNX.4.10.10003050926090.662-100000 at mothra.mindrot.org> i'd send you links, but i haven't been able to find all of the relevant messages at the archive that i know about -- here's one that i did find though: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=94577271606092&w=2 p.s. does anyone know of a different archive for the list? marc> Given the following situation: A client C uses S as a POP3 server. We marc> want to poll E-Mail via POP3 from S to A via an ssh tunnel without marc> being asked for a password. Thus, we create a passphrase-less key pair marc> on A, transmit the public key to S and insert it into marc> ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep marc> the connection open while the poll is doing through via a forwarded marc> port. marc> That way, one taking posession of the private key can "only" use S for marc> arbitrary port forwards and do not have shell access to S. marc> I feel it would be desireable to restrict a key to "only do port marc> forwards to localhost:110". Would it be possible to have something marc> like that implemented in a future release?
On Mon, 3 Apr 2000, Marc Haber wrote:> Hi! > > The current version of sshd allows to restrict keys to issue only > specific commands. However, port forwarding can only be forbidden > entirely. > > Given the following situation: A client C uses S as a POP3 server. We > want to poll E-Mail via POP3 from S to A via an ssh tunnel without > being asked for a password. Thus, we create a passphrase-less key pair > on A, transmit the public key to S and insert it into > ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep > the connection open while the poll is doing through via a forwarded > port. > > That way, one taking posession of the private key can "only" use S for > arbitrary port forwards and do not have shell access to S. > > I feel it would be desireable to restrict a key to "only do port > forwards to localhost:110". Would it be possible to have something > like that implemented in a future release?I have been toying with the idea of implementing Keynote[1] policies as a substitute for authorized_keys. Keynote is nice because it solves the delegation problem well, but I couldn't figure out a way to cleanly support forced commands and port forward restrictions with the current Keynote language. -d [1] http://www.cis.upenn.edu/~angelos/keynote.html -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
Seemingly Similar Threads
- creative VoIP blaster & *
- [Bug 105117] New: desktop freeze playing video nouveau: DATA_ERROR INVALID_BITFIELD
- Does OpenSSH 3.x support KRB5 directly?
- end_modal question
- [Bug 95520] New: Error when recovering from suspend mode: fifo: ce0 engine fault on channel 0