💾 Archived View for perso.pw › blog › articles › ssh-tunneling.gmi captured on 2023-06-16 at 16:47:04. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

➡️ Next capture (2024-03-21)

-=-=-=-=-=-=-

Create a dedicated user for ssh tunneling only

on Mastodon

I use ssh tunneling A LOT, for everything. Yesterday, I removed the

public access of my IMAP server, it's now only available through ssh

tunneling to access the daemon listening on localhost. I have plenty

of daemons listening only on localhost that I can only reach through a

ssh tunnel. If you don't want to bother with ssh and redirect ports you

need, you can also make a VPN (using ssh, openvpn, iked, tinc...)

between your system and your server. I tend to avoid setting up VPN for

the current use case as it requires more work and more maintenance than

running ssh server and a ssh client.

The last change, for my IMAP server, added an issue. I want my phone

to access the IMAP server but I don't want to connect to my main

account from my phone for security reasons. So, I need a dedicated

user that will only be allowed to forward ports.

This is done very easily on OpenBSD.

The steps are:

1. generate ssh keys for the new user

2. add a user with no password

3. allow public key for port forwarding

your sshd_config**.

Generating ssh keys

Please generate the keys in a safe place, using

[ssh-keygen](https://man.openbsd.org/ssh-keygen)

$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/home/user/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/user/.ssh/id_rsa.

Your public key has been saved in /home/user/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:SOMETHINGSOMETHINSOMETHINSOMETHINSOMETHING user@myhost

The key's randomart image is:

+---[RSA 3072]----+

| |

| ** |

| * ** . |

| * * |

| **** * |

| **** |

| |

| |

| |

+----[SHA256]-----+

This will create your public key in ~/.ssh/id_rsa.pub and the private key in

~/.ssh/id_rsa

Adding a user

On OpenBSD, we will create a user named **tunnel**, this is done with the

following command as root:

# useradd -m tunnel

This user has no password and can't login on ssh.

Allow the public key to port forward only

We will use the **command** restriction in the **authorized_keys** file to

allow the previously generated key to only forward.

Edit **/home/tunnel/.ssh/authorized_keys** as following

command="echo 'Tunnel only!'" ssh-rsa PUT_YOUR_PUBLIC_KEY_HERE

This will tell "Tunnel only" and abort the connection if the user connects and

with a shell or a command.

Connect using ssh

You can connect with [ssh(1)](https://man.openbsd.org/ssh.1) as usual but you

will require the flag **-N** to not start a shell on the remote server.

$ ssh -N -L 10000:localhost:993 tunnel@host

If you want the tunnel to stay up in the most automated way possible, you can

use **autossh** from ports, which will do a great job at keeping ssh up.

$ autossh -M 0 -o "ExitOnForwardFailure yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "TCPKeepAlive yes" -N -v -L 9993:localhost:993 tunnel@host

This command will start autossh, restart if forwarding doesn't work which is

likely to happens when you lose connectivity, it takes some time for the remote

server to disable the forwarding effectively. It will make a keep alive check

so the tunnel stays up and ensure it's up (this is particularly useful on

wireless connection like 4G/LTE).

The others flags are also ssh parameters, to not start a shell, and for making

a local forwarding. Don't forget that as a regular user, you can't bind on

ports less than 1024, that's why I redirect the port 993 to the local port

9993 in the example.

Making the tunnel on Android

If you want to access your personal services from your Android phone, you can

use **ConnectBot** ssh client. It's really easy:

1. upload your private key to the phone

2. add it in ConnectBot from the main menu

3. create a new connection the user and your remote host

4. choose to use public key authentication and choose the registered key

5. uncheck "start a shell session" (this is equivalent to -N ssh flag)

6. from the main menu, long touch the connection and edit the forwarded ports

Enjoy!