As per previous discussions I'm going to set up an ssh reverse tunnel from my eeePC on the boat to my server at home. I will use autossh to run the ssh command on the eeepC so that it will get restarted if it dies for any reason.
The ssh command run on the eeePC on the boat will be something like:-
ssh -R 54321:localhost:22 user@my.home.server
this then allows me to do the following to make an ssh connection from the home server to the eeePC on the boat:-
ssh -p 54321 localhost
So far, so good, that works fine (I've checked it out with a netbook at home).
However I'd like to make it as secure as possible, the 'hole' I would like to plug is that I have generated an ssh key without a passphrase on the boat eeePC (which is copied to the 'user' login on the home server) so that the 'ssh -R ....' command runs without requiring any passphrase or password. (I can't use an agent really, it needs to be able to work completely unattended from power up)
The 'user' login is dedicated to the ssh connection so doesn't belong to a real person and doesn't own any files, it would allow passwordless access to a shell though at the moment. Is there any way of allowing ssh to connect still but to prevent it from actually doing anything at all? There's no need for 'user' to be able to do anything and if it can be set up so there's no shell or anything the passwordless login doesn't offer an intruder anything useful really.
On Wed, 15 Dec 2010 15:30:58 +0000 Chris G cl@isbd.net allegedly wrote:
As per previous discussions I'm going to set up an ssh reverse tunnel from my eeePC on the boat to my server at home. I will use autossh to run the ssh command on the eeepC so that it will get restarted if it dies for any reason.
The ssh command run on the eeePC on the boat will be something like:-
ssh -R 54321:localhost:22 user@my.home.serverthis then allows me to do the following to make an ssh connection from the home server to the eeePC on the boat:-
ssh -p 54321 localhost
Try "ssh -N -f -R 54321:localhost:22 user@your.home.server"
where user @ your home server has no shell (e.g. bin/false)
also see "man ssh"
Mick ---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On 15/12/10 17:11, mick wrote:
On Wed, 15 Dec 2010 15:30:58 +0000 Chris Gcl@isbd.net allegedly wrote:
Try "ssh -N -f -R 54321:localhost:22 user@your.home.server"
where user @ your home server has no shell (e.g. bin/false)
also see "man ssh"
Also, remove "user" from any unnecessary user groups groups.
Edit sshd_config file (or whatever equivalent is) to lock it down, e.g. permint_root_login = false strictmodes=yes allowedgroups= #i.e no groups allowedusers=USER #I think the above is right, not sure... IgnoreRhosts yes
Also, you may like to use a non-standard port to run SSH on and/or run intrusion detection system like Fail2Ban or Denyhosts or both.
When I ran a SSH server on Port 22, I was amazed to see the access log fill up with script kiddies trying to login. As you're using a KEY, you should be safe, however, if you use a non-standard port number for SSH, then they won't know you're there, and won't try to hack in.
Fail2Ban or Denyhosts can check access logs and ban people trying to hack your system, and/or downloads a list of suspect ip addresses which it blocks from your system. Perhaps this is a bit paranoid if you're running on a non-standard port. Check your access logs after a while of working successfully and see if there are any login attempts that aren't you! Be careful you don't lock yourself out of your own system!
HTH Steve
-
Chris G -
mick -
steve-ALUG@hst.me.uk