Date: Thu, 22 Sep 2005 14:01:08 -0400 From: Brian Reichert <reichert@numachi.com> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-security@freebsd.org, markzero <mark@darklogik.org> Subject: Re: Tunnel-only SSH keys Message-ID: <20050922180108.GJ74605@numachi.com> In-Reply-To: <20050922160959.GQ24643@obiwan.tataz.chchile.org> References: <20050922152718.GB91509@logik.internal.network> <20050922160959.GQ24643@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 22, 2005 at 06:09:59PM +0200, Jeremie Le Hen wrote: > Hi, > > > I once read somewhere that it's possible to limit SSH pubkeys to > > 'tunnel-only'. I can't seem to find any information about this > > in any of the usual places. > > > > I'm going to be deploying a few servers in a couple of days and > > I'd like them to log to a central server over an SSH tunnel (using > > syslog-ng) however I'd like to prevent actual logins (hence > > 'tunnel-only'). > > > > Can this be done with OpenSSH? I'd like to try and stay away from > > the complexities of a chrooted-stunnel for now... > > I think you can use /bin/false as shell, and then use ``ssh -nN'' > from the client. I've not tested this, but I guess this should > work. See this discussion: http://www.blacksheepnetworks.com/security/hack/scponly.txt > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > -- Brian Reichert <reichert@numachi.com> 55 Crystal Ave. #286 Daytime number: (603) 434-6842 Derry NH 03038-1725 USA BSD admin/developer at large
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050922180108.GJ74605>