1

I found the permit_open option in authorized_keys, but I want the particular user to ssh to the server and automatically telnet to another user and being jail-boxed at the same time. It means something like:

user1@local# ssh user1@remote1

it actually connects to a remote2 telnet port behind a firewall, and user1 is not able to access anything(incl. remote1) behind the firewall.

Improve this question

4 Answers 4

Reset to default
2

You would use port forwarding, or a firewall rule (ipchains, or similar). I think you're looking at SSH expecting to do this, but that's not what SSH is for.

Improve this answer
3
  • 1
    Harv is right. There's no reason to use ssh on the first machine. Rather just have the first machine forward any incoming connections, using iptables, to the restricted machine. Then you only have one ssh session and no tunneling. Commented Dec 9, 2010 at 9:47
  • Well if I understand well the OP, the reason to use SSH on remote1 THEN telnet on remote2 is that the local <-> remote1 part of the connection is encrypted, which is considerably more secure than just telnet from local to remote2 via remote1 using iptables. Commented Dec 9, 2010 at 17:21
  • @Renik, yeah thats what I mean, but is telnet jailed in? Couldn't I use ^] to escape? Commented Dec 10, 2010 at 3:27
2

I would not use port forwarding but simply change the initial program run by the ssh user on remote1 to be "telnet remote2" instead of "/bin/bash" or whatever. EDIT : with the "command" option in authorized_keys

Maybe you could elaborate on your use case, though.

Improve this answer
1

Renik already gave you the answer, but do not forget to add some hardening settings to disable port forwarding.

Like this :

command="/usr/bin/ssh user1@remote1",no-port-forwarding,no-user-rc ssh-rsa ... user@host

Improve this answer
0

Leaving aside the user of telnet in a secure environment, I agree with Harv - you're trying to overload SSH. If it were my build, I'd probably put in openVPN for the remote users to connect to remote1, then use iptables to restrict traffic coming out of the tunnel to TCP/23 destined for remote2 (and replies).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.