Restrict Tunneling thru SSH
Trevor Sullivan
pcgeek86 at gmail.com
Sat Jul 23 17:39:54 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hornet wrote:
> On 7/22/05, Trevor Sullivan <pcgeek86 at gmail.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
>>
>> Hornet wrote:
>>
>>> On 7/21/05, Trevor Sullivan <pcgeek86 at gmail.com> wrote:
>>>
>>>> Hello list, I am curious as to whether or not it is possible
>>>> to restrict certain users from tunneling traffic through SSH.
>>>> I would like to be able to tunnel my own traffic, but provide
>>>> user logins that are restricted from accessing the rest of my
>>>> inside network. Is it possible to restrict this by user?
>>>> Thanks
>>>>
>>>> Trevor
>>>
>>> I'm pretty sure it is an all or nothing config option in
>>> sshd.conf in the global sense. But you can make specific
>>> options for specific hosts.
>>>
>> So could I possibly restrict SSH tunneling by IP (host)? I guess
>> my concern is that if I create a user account, it will be able to
>> tunnel to other machines on my network w/o restriction. Is the
>> way to do this maybe a DMZ or separate VLAN?
>>
>> Trevor
>
>
> Yes, should be able to do this via your sshd config. I would
> recommend using webmin for this. I have not done this before, but
> it looks do able. Are your user going to be using ssh, or is this
> just a SMB box? If it is just a SMB box, then I would just set the
> shell account to "nologin" since that is separate from the SMB
> account.
>
> Also I guess you could set a up firewall and restrict the ports
> that can talk on the LAN.
>
> -Erik- _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
Well I was thinking about setting up vsftpd as my ftp server. I tried
it a while ago and was having some issues with PAM while configuring
virtual users so I decided to use pure-ftpd for a while because that
was quite a bit easier to use. In the case of vsftpd, I don't really
hope to setup virtual users (as big a PITA that was), so instead I'm
going to just use unix authentication. I guess...I could still just
set their shell to nologin huh? Didn't even think about that...lol. I
do have a question though...I understand that for Mac OSX, there is a
program that establishes SSH tunnels w/o actually being an SSH
"client" per se...would this till allow the user to use something like
that?
Trevor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFC4oOdoGycRpOgdeERA36iAJoCN1k/Sf4nu1sx1ypgPhDeyyBREQCfUWKq
t3a7LwrSKVZkPr44m4SsmiE=
=g305
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list