set up a ssh tunnel only user for ssh proxy jump

README.md

Set up a ssh tunnel only user

In order to give someone access to hosts that are available only by ssh "bouncing" (ProxyJump), add a user for this specific purpose.

We have an internal openstack where instances get IPs on per-tenant networks. Each tenant has a 'bastion' host that has a "public" ip (floating ip). You can access other instances by bouncing through the bastion. From time to time I want to let someone else into an instance. This could be done either with:

a.) just give them shell access to the bastion and let them hop through. Sharing an unrestricted shell account on my bastion is less than ideal. b.) assign a floating/"public" IP to the instance so they could go directly in. Floating IPs are limited, so this is less than ideal.

So instead, I have set up a single user as described here that can only be used for ProxyJump. It allows others proxied access to my instances but without granting them full shell access.

Heres how you can set this up.

• Pick a name

   JUMP_USER="sshjump"
  

• configure sshd

  We match by Match User here, but could also use Match Group. Add the following to your /etc/ssh/sshd_config, and make sure to adjust sshjump to your JUMP_USER

   Match User sshjump
     AllowAgentForwarding no
     AllowTcpForwarding yes
     X11Forwarding no
     PermitTunnel no
     GatewayPorts no
     ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
  

  Then, restart sshd:

   sudo systemctl restart ssh
  

• Add the user

  The shell can actually be /bin/true, but then you will not get the ForceCommand directive to do anything, which can be useful for a user connecting.

    sudo useradd "$JUMP_USER" "--home-dir=/home/$JUMP_USER" --create-home --shell=/bin/rbash
    # if you want to, set a password.
    sudo passwd "$JUMP_USER"
  

• Add some ssh keys

    sudo -Hu "$JUMP_USER" ssh-import-id smoser
  

• Try it out

  assuming you want to give access to [email protected] and your host is jumphost

    ssh -J sshjump@jumphost [email protected]
  

References

The following urls had information to help put this together:

• http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding
• http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/

Hi, thank you for your post. Only one thing puzzle me, while in rbash a user can surely invoke bash to escape the restricted shell.

Thank you for the gist. :-)

If you also want to restrict the targets the user is allowed to reach you can use PermitOpen (see man sshd_config).

Though I have not yet tried to specify a subnets like PermitOpen [2001:db8:cafe:beef::/112]:22 192.0.2.0/24:22.

Match User sshjump
  PasswordAuthentication no
  PubkeyAuthentication yes
  AllowAgentForwarding no
  AllowTcpForwarding yes
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
  PermitOpen host1:22 ip-address:* ...

Hi, thank you for your post. Only one thing puzzle me, while in rbash a user can surely invoke bash to escape the restricted shell.

@pierreboudes I tried specifying a binary like /bin/hostname or /bin/bash / bash as a command argument for ssh but it only executes the ForceCommand and then disconnects:

ssh [email protected] /bin/hostname
This account can only be used for ProxyJump (ssh -J)

If you want to make sure you can just set --shell=/bin/true for the sshjump user as the gist suggests and leave out ForceCommand echo ... from the /etc/ssh/sshd_config. :-)