SSH: Effects of no-pty login option in authorized_keys
After some research and experimentation this combination of options seem to do the trick:
command="",restrict,port-forwarding,permitopen="localhost:80"
Let me go through each of them individually:
-
command=""
disallows any command to be executed using this key
-
restrict
Disable all options, such as TTY allocation, port forwarding, agent forwarding, user-rc, and X11 forwarding all at once.
-
port-forwarding
Enables TCP port forwarding, but see below.
-
permitopen="localhost:80"
Limits TCP port forwarding to local port
80
. That's the only thing this key should allow.
I've been able to figure this out mainly by reading Client Configuration Files chapter of OpenSSH WikiBook, so the majority of credit goes to it's authors (Lars Noodén et al.). Missing part was port-forwarding
- without it forwarding is forbidden even though permitopen
would suggest otherwise.
Related videos on Youtube
Tad Lispy
Updated on September 18, 2022Comments
-
Tad Lispy over 1 year
I'm confused by the behavior of
restrict
orno-pty
login options prepended to a key in~/.ssh/authorized_keys
.For a given key I was intending to prevent any interaction except for starting an SSH tunnel to a particular local port:
restrict,permitopen="localhost:80" ssh-rsa AAAAB3NzaC1yc2EAAA[...]3c7rmJT5/ [email protected]
The actual effect is that identifying with the corresponding private key I can create a tunnel, but apparently also execute arbitrary commands:
tunnel@a $ ssh -i tunnel_rsa [email protected] PTY allocation request failed on channel 0 Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-64-generic x86_64) [...] You have new mail. ls .ssh/ authorized_keys id_rsa id_rsa.pub known_hosts
Note
PTY allocation request failed on channel 0
message at the beginning of the session (which suggest that the login option takes some effect) andls .ssh/
command with it's output.There is no prompt, but it's not what I was intending to do. Can someone please shed some light on this? Also, what is the preferred method to restrict given key to only creating a tunnel?
update
with
restrict
the tunnel is not really working:$ curl localhost:8080 curl: (52) Empty reply from server
or using HTTPie:
$ http :8080 http: error: ConnectionError: ('Connection aborted.', BadStatusLine("''",))
with following output from
ssh -L ...
command:channel 2: open failed: administratively prohibited: open failed
It does work with
no-pty
option instead ofrestricted
, but the original problem remains. -
mikep almost 5 yearsthanks for great hint to use
restrict
instead ofno-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty