Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A script to launch user sshd limited to creation of reverse tunnels
#!/bin/sh
AUTHORIZED_KEYS=authorized_keys
HOST_RSA_KEY=ssh_host_rsa_key
SSHD=/usr/sbin/sshd
PORT=8443
case "$AUTHORIZED_KEYS" in /*) ;; *) AUTHORIZED_KEYS=$PWD/$AUTHORIZED_KEYS ;; esac
case "$HOST_RSA_KEY" in /*) ;; *) HOST_RSA_KEY=$PWD/$HOST_RSA_KEY ;; esac
if [ ! -e $AUTHORIZED_KEYS ]; then
echo "Didn't find authorized keys file $AUTHORIZED_KEYS"
echo "Since password authentication is disabled you will not be able to login"
exit
fi
if [ ! -e $HOST_RSA_KEY ]; then
echo "Didn't find preexisting host keys, will generate $HOST_RSA_KEY"
ssh-keygen -t rsa -f $HOST_RSA_KEY -P ''
fi
TMP_SSHD_CONFIG=`mktemp`
trap "rm -f $TMP_SSHD_CONFIG" EXIT INT TERM HUP
cat > $TMP_SSHD_CONFIG << EOF
Port $PORT
HostKey $HOST_RSA_KEY
UsePrivilegeSeparation no
# otherwise we won't catch which ports are open
LogLevel DEBUG
PubkeyAuthentication yes
AuthorizedKeysFile $AUTHORIZED_KEYS
PidFile /dev/null
UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication no
# User-launched sshd will not be able to change user anyway
# yet we can prevent it from vain attempts
AllowUsers $USER
ForceCommand echo "no shell access is given"
AllowTcpForwarding remote
X11Forwarding no
PermitTunnel no
EOF
SSHD_CONFIG=$TMP_SSHD_CONFIG
$SSHD -De -f $SSHD_CONFIG 2>&1 | awk "/^debug1: Local forwarding listening/ { print $1 } /^debug1:/ { next } { print $1 }"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.