[Freeipa-users] Allow IPA users to create SSH tunnel with no shell

Albert Adams biteoag at gmail.com
Mon Dec 17 14:07:57 UTC 2012 

Thank you for the responses.  I was initially attempting to set this value
via the web UI and if I entered anything other than the hash value of the
user's public key it would get rejected.  After thinking about your
response I realize that I really need to determine a method of doing this
via a HBAC rule.  If I accomplish this with authorized_keys then the user
is restricted across the board and would not be able to gain a shell on any
system whereas HBAC would allow me to restrict thier access as needed.  We
currently require users to tunnel over SSH to gain access to certain
sensitive web apps (like Nessus) but those same users have shell access on
a few boxes.  Thoughts??

Albert

On Mon, Dec 17, 2012 at 4:08 AM, Jan Cholasta <jcholast at redhat.com> wrote:

> Hi,
>
> this should work and you don't even have to set the shell to /sbin/nologin
> (depends on whether you want the users to be able to login to the system by
> other means or not), as the command directive in authorized_keys takes
> precedence.
>
> The tricky part is escaping the value correctly (there is shell escaping,
> IPA CSV quote escaping and authorized_keys quote escaping in effect):
>
> $ ipa user-mod user --sshpubkey='"command=""/usr/**bin/perl -e '\''$|=1;
> print \""Tunnel created, use your webbrowser to connect to the
> tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep
> 60}'\''"",permitopen=""**localhost:8834"",no-agent-**forwarding,no-X11-forwarding
> ssh-rsa ..."'
>
> Honza
>
>
> On 17.12.2012 03:23, Peter Brown wrote:
>
>> Hi Albert,
>>
>> Have you tried putting that command in the public key for the user in
>> freeipa and setting the user shell to /sbin/nologin or the equivalent?
>>
>>
>> On 15 December 2012 02:09, Albert Adams <biteoag at gmail.com
>> <mailto:biteoag at gmail.com>> wrote:
>>
>>     In our environment we have several systems where users require
>>     access to the system to setup an SSH tunnel but should not have a
>>     shell on the system.  Prior to rolling out IPA we accomplished this
>>     with the authorized_keys file as follows:
>>
>>     command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
>>     webbrowser to connect to the tool\n\";while(1) { print
>>     localtime(time) . \"\n\"; sleep
>>     60}'",permitopen="localhost:**8834",no-agent-forwarding,no-**
>> X11-forwarding
>>
>>     Is there a way to accomplish this in IPA?
>>
>>     Regards,
>>     Albert
>>
>>     ______________________________**_________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.**com<Freeipa-users at redhat.com>
>> >
>>     https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>>
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>
> --
> Jan Cholasta
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121217/cdc5162f/attachment.htm>

More information about the Freeipa-users mailing list