Title : Create a dedicated user for ssh tunneling only Author: Solène Date : 17 April 2019 Tags : openbsd ssh I use ssh tunneling A LOT, for everything. Yesterday, I removed the public access of my IMAP server, it's now only available through ssh tunneling to access the daemon listening on localhost. I have plenty of daemons listening only on localhost that I can only reach through a ssh tunnel. If you don't want to bother with ssh and redirect ports you need, you can also make a VPN (using ssh, openvpn, iked, tinc...) between your system and your server. I tend to avoid setting up VPN for the current use case as it requires more work and more maintenance than running ssh server and a ssh client. The last change, for my IMAP server, added an issue. I want my phone to access the IMAP server but I don't want to connect to my main account from my phone for security reasons. So, I need a dedicated user that will only be allowed to forward ports. This is done very easily on OpenBSD. The steps are: 1. generate ssh keys for the new user 2. add an user with no password 3. allow public key for port forwarding **Obviously, you must allow users (or only this one) to make port forwarding in your sshd_config**. ### Generating ssh keys Please generate the keys in a safe place, using [ssh-keygen](https://man.openbsd.org/ssh-keygen) $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:SOMETHINGSOMETHINSOMETHINSOMETHINSOMETHING user@myhost The key's randomart image is: +---[RSA 3072]----+ | | | ** | | * ** . | | * * | | **** * | | **** | | | | | | | +----[SHA256]-----+ This will create your public key in ~/.ssh/id_rsa.pub and the private key in ~/.ssh/id_rsa ### Adding an user On OpenBSD, we will create an user named **tunnel**, this is done with the following command as root: # useradd -m tunnel This user has no password and can't login on ssh. ### Allow the public key to port forward only We will use the **command** restriction in the **authorized_keys** file to allow the previously generated key to only forward. Edit **/home/tunnel/.ssh/authorized_keys** as following command="echo 'Tunnel only!'" ssh-rsa PUT_YOUR_PUBLIC_KEY_HERE This will tell "Tunnel only" and abort the connection if the user connects and with a shell or a command. ### Connect using ssh You can connect with [ssh(1)](https://man.openbsd.org/ssh.1) as usual but you will require the flag **-N** to not start a shell on the remote server. $ ssh -N -L 10000:localhost:993 tunnel@host If you want the tunnel to stay up in the most automated way possible, you can use **autossh** from ports, which will do a great job at keeping ssh up. $ autossh -M 0 -o "ExitOnForwardFailure yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "TCPKeepAlive yes" -N -v -L 9993:localhost:993 tunnel@host This command will start autossh, restart if forwarding doesn't work which is likely to happens when you lose connectivity, it takes some time for the remote server to disable the forwarding effectively. It will make a keep alive check so the tunnel stays up and ensure it's up (this is particularly useful on wireless connection like 4G/LTE). The others flags are also ssh parameters, to not start a shell, and for making a local forwarding. Don't forget that as a regular user, you can't bind on ports less than 1024, that's why I redirect the port 993 to the local port 9993 in the example. ### Making the tunnel on Android If you want to access your personal services from your Android phone, you can use **ConnectBot** ssh client. It's really easy: 1. upload your private key to the phone 2. add it in ConnectBot from the main menu 3. create a new connection the user and your remote host 4. choose to use public key authentication and choose the registered key 5. uncheck "start a shell session" (this is equivalent to -N ssh flag) 6. from the main menu, long touch the connection and edit the forwarded ports Enjoy!