Title : Create a dedicated user for ssh tunneling only
Author: Solène
Date  : 17 April 2019
Tags  : openbsd ssh

I use ssh tunneling A LOT, for everything. Yesterday, I removed the
public access of my IMAP server, it's now only available through ssh
tunneling to access the daemon listening on localhost. I have plenty
of daemons listening only on localhost that I can only reach through a
ssh tunnel. If you don't want to bother with ssh and redirect ports you
need, you can also make a VPN (using ssh, openvpn, iked, tinc...)
between your system and your server. I tend to avoid setting up VPN for
the current use case as it requires more work and more maintenance than
running ssh server and a ssh client.

The last change, for my IMAP server, added an issue. I want my phone
to access the IMAP server but I don't want to connect to my main
account from my phone for security reasons. So, I need a dedicated
user that will only be allowed to forward ports.

This is done very easily on OpenBSD.

The steps are:
1. generate ssh keys for the new user
2. add an user with no password
3. allow public key for port forwarding

**Obviously, you must allow users (or only this one) to make port forwarding in
your sshd_config**.

### Generating ssh keys

Please generate the keys in a safe place, using

    $ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/user/.ssh/id_rsa.
    Your public key has been saved in /home/user/.ssh/id_rsa.pub.
    The key fingerprint is:
    The key's randomart image is:
    +---[RSA 3072]----+
    |                 |
    | **              |
    |  *     **  .    |
    |  *     *        |
    |  ****  *        |
    |     ****        |
    |                 |
    |                 |
    |                 |

This will create your public key in ~/.ssh/id_rsa.pub and the private key in

### Adding an user

On OpenBSD, we will create an user named **tunnel**, this is done with the
following command as root:

    # useradd -m tunnel

This user has no password and can't login on ssh.

### Allow the public key to port forward only

We will use the **command** restriction in the **authorized_keys** file to
allow the previously generated key to only forward.

Edit **/home/tunnel/.ssh/authorized_keys** as following

    command="echo 'Tunnel only!'" ssh-rsa PUT_YOUR_PUBLIC_KEY_HERE

This will tell "Tunnel only" and abort the connection if the user connects and
with a shell or a command.

### Connect using ssh

You can connect with [ssh(1)](https://man.openbsd.org/ssh.1) as usual but you
will require the flag **-N** to not start a shell on the remote server.

    $ ssh -N -L 10000:localhost:993 tunnel@host

If you want the tunnel to stay up in the most automated way possible, you can
use **autossh** from ports, which will do a great job at keeping ssh up.

    $ autossh -M 0 -o "ExitOnForwardFailure yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "TCPKeepAlive yes" -N -v -L 9993:localhost:993 tunnel@host

This command will start autossh, restart if forwarding doesn't work which is
likely to happens when you lose connectivity, it takes some time for the remote
server to disable the forwarding effectively. It will make a keep alive check
so the tunnel stays up and ensure it's up (this is particularly useful on
wireless connection like 4G/LTE).

The others flags are also ssh parameters, to not start a shell, and for making
a local forwarding. Don't forget that as a regular user, you can't bind on
ports less than 1024, that's why I redirect the port 993 to the local port
9993 in the example.

### Making the tunnel on Android

If you want to access your personal services from your Android phone, you can
use **ConnectBot** ssh client. It's really easy:

1. upload your private key to the phone
2. add it in ConnectBot from the main menu
3. create a new connection the user and your remote host
4. choose to use public key authentication and choose the registered key
5. uncheck "start a shell session" (this is equivalent to -N ssh flag)
6. from the main menu, long touch the connection and edit the forwarded ports