|
|
@@ -8,6 +8,44 @@ Installation en cours: Devuan
|
|
|
ssh bastion
|
|
|
```
|
|
|
|
|
|
+## Provisoire
|
|
|
+
|
|
|
+- [set up a ssh tunnel only user for ssh proxy jump · GitHub](https://gist.github.com/smoser/3e9430c51e23e0c0d16c359a2ca668ae)
|
|
|
+- [How to restrict a jump user (into openSSH jumpbox) to only SSH to another server? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/691514/how-to-restrict-a-jump-user-into-openssh-jumpbox-to-only-ssh-to-another-server)
|
|
|
+
|
|
|
+```bash
|
|
|
+lauhub@ecaz:~$ sudo -u mat nano /home/mat/.bashrc
|
|
|
+lauhub@ecaz:~$ sudo -u mat tail -1 /home/mat/.bashrc
|
|
|
+PATH=/opt/restricted/bin
|
|
|
+
|
|
|
+lauhub@ecaz:~$ sudo mkdir /opt/restricted/bin
|
|
|
+mkdir: cannot create directory ‘/opt/restricted/bin’: No such file or directory
|
|
|
+lauhub@ecaz:~$ sudo mkdir -p /opt/restricted/bin
|
|
|
+lauhub@ecaz:~$ cd /opt/restricted/bin
|
|
|
+lauhub@ecaz:/opt/restricted/bin$ ln -s $(which ssh)
|
|
|
+ln: failed to create symbolic link './ssh': Permission denied
|
|
|
+lauhub@ecaz:/opt/restricted/bin$ sudo ln -s $(which ssh)
|
|
|
+lauhub@ecaz:/opt/restricted/bin$ ll
|
|
|
+total 0
|
|
|
+lrwxrwxrwx 1 root root 12 Sep 21 02:23 ssh -> /usr/bin/ssh
|
|
|
+lauhub@ecaz:/opt/restricted/bin$ cd -
|
|
|
+/home/lauhub
|
|
|
+
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
+### sshd_config
|
|
|
+
|
|
|
+```
|
|
|
+Match User mat
|
|
|
+ AllowAgentForwarding no
|
|
|
+ AllowTcpForwarding yes
|
|
|
+ X11Forwarding no
|
|
|
+ PermitTunnel no
|
|
|
+ GatewayPorts no
|
|
|
+ ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
|
|
|
+```
|
|
|
+
|
|
|
## TODO
|
|
|
|
|
|
- [ ] [linux - Limit SSH access to specific clients by IP address - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address)
|
lauhub