*g* nice that you want to explain, but i think i know what i'm talking about
Quote:
Originally Posted by Terran
You can't do that without logging in to the host. I'll try to explain:
The ssh protocol is an end-to-end protocol, only the connections between two authenticated and authorized hosts are encrypted. You can use ssh tunnels between those two hosts once you're in. These tunnels encrypt the traffic between those hosts bot not the traffic outside of these connections!
And (at least with OpenSSH) you can't restrict which ports are allowed to be forwarded - you only can turn it on or off.
What you could do would be to use stunnel instead of ssh. ( www.stunnel.org)
Use it to encrypt the pserver protocoll and block the direct access to the pserver port using iptables. The drawback of this is that the developers need iptables at their machines too - but that's not a big problem .
|
a ssh login which does arbitraty application (terminal) forwarding needs to be able to log in, whilst a portforwarding only account can't login. the difference is that with the normal ssh login account you can log into the server an get a shell, while the portfw only login can not log in and request a terminal.
sounds not very different but in terms of security it's a key point. the portfw only user can not try local root exploits (e.g. do_brk ..) since he can not spawn a shell at all.
stunnel is not as secure as ssh unless a real PKI is used, allthough it's probably the easier one to setup and security is very good allready.
cheers memed
from man sshd:
[qoute]
AUTHORIZED_KEYS FILE FORMAT
$HOME/.ssh/authorized_keys is the default file that lists the public keys
that are permitted for RSA authentication in protocol version 1 and for
public key authentication (PubkeyAuthentication) in protocol version 2.
AuthorizedKeysFile may be used to specify an alternative file.
...
...
...
no-pty Prevents tty allocation (a request to allocate a pty will fail).
permitopen="host:port"
Limit local ``ssh -L'' port forwarding such that it may only con-
nect to the specified host and port. IPv6 addresses can be spec-
ified with an alternative syntax: host/port. Multiple permitopen
options may be applied separated by commas. No pattern matching
is performed on the specified hostnames, they must be literal
domains or addresses.
[/quote]