In your VPS sshd_config, you can put the following:
Match User myNephew
MaxSessions 0 # ZERO -- no login sessions allowed
PermitOpen none # User can not connect to any listening ports
PermitListen localhost:12345 # User can listen from this server port
ClientAliveInterval 300 # Make sure we have heard from the
nephew recently
PasswordAuthentication no
Some options may depend on the OpenSSH version you are running on your VPS.
On Sat, 1 Aug 2020 at 16:54, Billy Croan <Billy at croan.org>
wrote:>
> I'm giving a nephew his first linux computer, and I want to be able to
> connect to it remotely reliably if he runs into trouble, given the
> potential for travel restrictions in the US.
>
> I set up an ssh key on this laptop and an account for it on a vps of mine.
>
> I installed the ssh key on the vps, and am planning to wrap autossh in a
> systemd script. So that any time the system is booted, it will try to keep
> alive the ssh connection back to my VPS. And that ssh connection will use
> -R 12345:localhost:22 so that from my vps, I can ssh to his laptop through
> the reverse port forward.
>
> This will avoid him having to negotiate port forwarding. And it will be
> dependent on no 3rd party services that could change over time. As long as
> he "can get on the internet" by clicking around networkmanager,
it should
> just connect in the background and stay connected.
>
> But I don't want that key to be able to do anything else on my VPS.
> (shell/or socks proxy regular port forwards. I've done similar locked
keys
> before for other purposes, but never for a reverse port forward.
>
> So I looked through some documentation, googled a bit, and found:
>
> command="echo 'Port forwarding only
>
account.'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:8080",permitopen="127.0.0.1:8080"
> ssh-rsa AAAA-blahblahblahb
>
> I learned that if I follow no-port-forwarding with a permitopen in
> authorized-keys it creates specific allowed port forwards and all others
> will be denied. That sounds like what I want. But it was for
> regular/forward/-L port forwarding. What I need is a version of permitopen
> for reverse/-R port forwarding.
>
> I tried permitbind and permitlisten, and those were both nonexistant. I
> searched for a manpage for authorized_keys and didn't find out, but I
did
> find a post on this very mailing list years ago asking for one. I ran sshd
> through gnu strings and looked for strings adjacent to permitopen that I
> might try, and nada.
>
> How can I accomplish this?
> (let an ssh key open specific remote port forwards but no local ports
> forwards, and no non-listed remotes)
>
> I'd rather not run a seperate vm/public ip just for this, or a seperate
> sshd instance in a selinux-limited chroot jail or something crazy like
> that. I'd really like to solve the key/account lockdown in the
authkeys
> file, or sshd config
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev