On Thu, Oct 04, 2012 at 09:50:04AM +0100, Laurie Brown wrote:
On 03/10/2012 19:49, Chris Green wrote:
If I want to do something like:-
ssh -R 12345:localhost:80 -N chris@mycomputer.comfrom a remote machine with a passwordless login is there any way I can make it so that the *only* thing allowed from the remote machine is the ssh tunnel?
I want to be able to see the apache web server running on the remote computer from my home machine. The remote computer may have occasional reboots/upgrades etc. so it needs a passwordless login to be able to reconnect the ssh tunnel. At present I don't allow passwordless (i.e. public key with no passphrase) logins and I don't want to allow them unless I can, as stated above, somehow allow ssh to only be used to create a tunnel.
I'm not sure I fully understand what you're trying to achieve, but it seems that you want to limit access to SSH by initiating the connections at the remote end. As Keith says, once the certificate is "live" there's no way to tell if it's passwordless or otherwise. That said, I think he, and I, have got the wrong end of the stick and assumed that by password-less login you mean via certificates and passwords. That's not at all clear...
Sorry, maybe I wasn't clear.
The *only* person who has logins my machine (from remote systems) is me, so it's only me that is creating keys etc. for logins. At present my firewall only allows ssh connections (port 22) from two specific IP addresses (hosting services where I have ssh access) and requires a password (not public key) for authentication. Thus, to break in, someone needs two passwords and the knowledge of the route to be taken to log in.
I want to get access (for me only) to an apache server running on our boat in France. The system on the boat has a good WiFi connection. It already runs an ssh connection like:- ssh -R 12345:localhost:80 -N chris@mycomputer.com to one of the hosting services where I have ssh access, this allows me to connect through the ssh tunnel to the system on the boat and I can update it, configure it, etc. using the command line from here at home. The ssh from the boat system to the hosting server uses a public-key with no passphrase so it's "passwordless" and if/when the system on the boat gets restarted for whatever reason it can reconnect successfully.
What I want to do is to run a similar ssh tunnelling command from the system on the boat to my system at home, it needs to be public-key with no passphrase but I don't want it to provide any sort of access from outside, I just want to be able to reverse tunnel down the connection to access port 80 on the system on the boat. I have already confirimed that it works using two hops as for my ssh command line access. However I'd like to make it easier to use so that I can just click on a link in my browser and just see what's happening on the boat. Thus I want to have the sshd on my desktop box only allow a remote make the ssh tunnel and nothing else.