On 03/10/2012 19:49, Chris Green wrote:
If I want to do something like:-
ssh -R 12345:localhost:80 -N chris@mycomputer.comfrom a remote machine with a passwordless login is there any way I can make it so that the *only* thing allowed from the remote machine is the ssh tunnel?
I want to be able to see the apache web server running on the remote computer from my home machine. The remote computer may have occasional reboots/upgrades etc. so it needs a passwordless login to be able to reconnect the ssh tunnel. At present I don't allow passwordless (i.e. public key with no passphrase) logins and I don't want to allow them unless I can, as stated above, somehow allow ssh to only be used to create a tunnel.
I'm not sure I fully understand what you're trying to achieve, but it seems that you want to limit access to SSH by initiating the connections at the remote end. As Keith says, once the certificate is "live" there's no way to tell if it's passwordless or otherwise. That said, I think he, and I, have got the wrong end of the stick and assumed that by password-less login you mean via certificates and passwords. That's not at all clear... It's very common to set up SSH so that interactive user name login, with a password or not, is impossible, but is only possible with a certificate pair (validated on the connecting machine by password) and is a basic level of security for SSH everyone should use. The following page is a clear example of how to do this:
http://en.gentoo-wiki.com/wiki/SSH_Public_Key_Authentication
What you could try, if as I suspect, you wish to limit access to the remote machine, is to use port-knocking and iptables to open the tunnel up, AND use certificate pairs.
http://en.gentoo-wiki.com/wiki/Port_Knocking http://www.hostsvault.com/blog/howto-protect-services-like-ssh-against-brute... http://www.soloport.com/iptables.html
I'm a big fan of Shorewall, so:
http://www.shorewall.net/3.0/PortKnocking.html
HtH. Laurie.