SSH: Effects of no-pty login option in authorized_keys

ssh security openssh ssh-tunnel authorized-keys
7,752

After some research and experimentation this combination of options seem to do the trick:

command="",restrict,port-forwarding,permitopen="localhost:80"

Let me go through each of them individually:

  • command=""

    disallows any command to be executed using this key

  • restrict

    Disable all options, such as TTY allocation, port forwarding, agent forwarding, user-rc, and X11 forwarding all at once.

  • port-forwarding

    Enables TCP port forwarding, but see below.

  • permitopen="localhost:80"

    Limits TCP port forwarding to local port 80. That's the only thing this key should allow.

I've been able to figure this out mainly by reading Client Configuration Files chapter of OpenSSH WikiBook, so the majority of credit goes to it's authors (Lars Noodén et al.). Missing part was port-forwarding - without it forwarding is forbidden even though permitopen would suggest otherwise.

Share:
7,752

Related videos on Youtube

Tad Lispy
Author by

Tad Lispy

Updated on September 18, 2022

Comments

  • Tad Lispy
    Tad Lispy over 1 year

    I'm confused by the behavior of restrict or no-pty login options prepended to a key in ~/.ssh/authorized_keys.

    For a given key I was intending to prevent any interaction except for starting an SSH tunnel to a particular local port:

    restrict,permitopen="localhost:80" ssh-rsa AAAAB3NzaC1yc2EAAA[...]3c7rmJT5/ [email protected]

    The actual effect is that identifying with the corresponding private key I can create a tunnel, but apparently also execute arbitrary commands:

    tunnel@a $ ssh -i tunnel_rsa [email protected]

PTY allocation request failed on channel 0
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-64-generic x86_64)

[...]

You have new mail.

ls .ssh/
authorized_keys
id_rsa
id_rsa.pub
known_hosts

    Note PTY allocation request failed on channel 0 message at the beginning of the session (which suggest that the login option takes some effect) and ls .ssh/ command with it's output.

    There is no prompt, but it's not what I was intending to do. Can someone please shed some light on this? Also, what is the preferred method to restrict given key to only creating a tunnel?

    update

    with restrict the tunnel is not really working:

    $ curl localhost:8080
curl: (52) Empty reply from server

    or using HTTPie:

    $ http :8080
http: error: ConnectionError: ('Connection aborted.', BadStatusLine("''",))

    with following output from ssh -L ... command:

    channel 2: open failed: administratively prohibited: open failed

    It does work with no-pty option instead of restricted, but the original problem remains.

  • mikep
    mikep almost 5 years
    thanks for great hint to use restrict instead of no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-‌​pty

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Does reinstalling openssh-server change the host key?
Cannot successfully configure OpenSSH via CYGWIN in Windows 2008
Stop ssh tunnel (stop listening on port without killing process)
How to change encryption algorithm for private key file using OpenSSH 5.3
How to tunnel port 25565 through SSH?
How do I skip the "known_host" question the first time I connect to a machine via SSH with public/private keys?
How secure is an SSH tunnel or connection?
How to make an SSH tunnel publicly accessible?
What is the difference between /etc/ssh/ and ~/.ssh?
What is the point of sshd “UseDNS” option?