With the parameters explained, the configuration as shown above, allows the user who authenticates with this SSH key to only create a port-forwarding to the localhost (or the IP equivalent) port 8080.
Once for the use of the name “localhost” and a second time for the IP address. In the above example, this option is repeated twice. The permitopen option below allows exceptions from that restriction.īased on the above no-port-forwarding, this option defines a certain port-forwarding to be allowed while every other port-forwarding is not allowed. This option will disallow port-forwarding entirely. The ssh-agent forwarding is disabled with the no-agent-forwarding option.ĭisallows the user from getting access to a shell. With this option enabled, X11 forwarding will be disabled. The command option shows the text ‘Port forwarding only account.’ to users that try to login to the server without the -N option. This command is executed after successful login. command="echo 'Port forwarding only account.'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,permitopen="localhost:8080",permitopen="127.0.0.1:8080" ssh-rsa AAAA.GdaAR through the options will show what these options restrict or permit. If you use purge options along with auto remove, will be removed everything regarding the package, Its really useful when you want to reinstall again. In the ~/.ssh/authorized_keys file the following options can be set to restrict access to port-forwarding to one specific port. If you use with purge options to dropbear-run package all the configuration and dependent packages will be removed. If Dropbear is running as user and bound to a port other than 22, both could be run simultaneously, but that might be too taxing for the Nokia 770s limited. Inside the user’s authorized keys, settings can be provided for a specific ssh-key. There can be only one SSH server listening to the default port, so if youve set up Dropbear SSH to be autostarted as root before, youll have to disable its autostart and shut it down. As a bonus, it will continue to work even if you switch the image to use OpenSSH instead of Dropbear (by changing from ssh-server-dropbear to ssh-server-openssh in the IMAGEFEATURE list).
Plain ssh offers a series of configuration options to be placed in various places to limit and control access. This causes the BitBake plumbing to do the same thing (remove the -w flag), without you having to muck about with it or maintain it. As already described in Restrict Linux User to SCP to his home directory, an ssh account can be locked into a certain area on the server, but port-forwarding can allow someone to access services though the ssh connection which are normally not accessible directly. There are a lot of possibilities to limit and restrict an ssh account.
Sometimes the easiest way is to not expose this service to the network but allow access via ssh port-forwarding, but how to limit the SSH account to only port-forward to one specific service? This post will describe how. Allowing access to an unprotected service on a server is always a problem.