Date: Sat, 23 Jul 2005 12:51:25 -0500 From: Trevor Sullivan <pcgeek86@gmail.com> To: Hornet <hornetmadness@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Restrict Tunneling thru SSH Message-ID: <42E2839D.4000607@gmail.com> In-Reply-To: <list.freebsd.questions#list.freebsd.questions#f42935a605072306236b52d3ce@mail.gmail.com> References: <list.freebsd.questions#list.freebsd.questions#42E04707.5050405@gmail.com> <list.freebsd.questions#list.freebsd.questions#f42935a605072306236b52d3ce@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hornet wrote: > On 7/22/05, Trevor Sullivan <pcgeek86@gmail.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 >> >> Hornet wrote: >> >>> On 7/21/05, Trevor Sullivan <pcgeek86@gmail.com> wrote: >>> >>>> Hello list, I am curious as to whether or not it is possible >>>> to restrict certain users from tunneling traffic through SSH. >>>> I would like to be able to tunnel my own traffic, but provide >>>> user logins that are restricted from accessing the rest of my >>>> inside network. Is it possible to restrict this by user? >>>> Thanks >>>> >>>> Trevor >>> >>> I'm pretty sure it is an all or nothing config option in >>> sshd.conf in the global sense. But you can make specific >>> options for specific hosts. >>> >> So could I possibly restrict SSH tunneling by IP (host)? I guess >> my concern is that if I create a user account, it will be able to >> tunnel to other machines on my network w/o restriction. Is the >> way to do this maybe a DMZ or separate VLAN? >> >> Trevor > > > Yes, should be able to do this via your sshd config. I would > recommend using webmin for this. I have not done this before, but > it looks do able. Are your user going to be using ssh, or is this > just a SMB box? If it is just a SMB box, then I would just set the > shell account to "nologin" since that is separate from the SMB > account. > > Also I guess you could set a up firewall and restrict the ports > that can talk on the LAN. > > -Erik- _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Well I was thinking about setting up vsftpd as my ftp server. I tried it a while ago and was having some issues with PAM while configuring virtual users so I decided to use pure-ftpd for a while because that was quite a bit easier to use. In the case of vsftpd, I don't really hope to setup virtual users (as big a PITA that was), so instead I'm going to just use unix authentication. I guess...I could still just set their shell to nologin huh? Didn't even think about that...lol. I do have a question though...I understand that for Mac OSX, there is a program that establishes SSH tunnels w/o actually being an SSH "client" per se...would this till allow the user to use something like that? Trevor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFC4oOdoGycRpOgdeERA36iAJoCN1k/Sf4nu1sx1ypgPhDeyyBREQCfUWKq t3a7LwrSKVZkPr44m4SsmiE= =g305 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E2839D.4000607>