From owner-freebsd-questions@FreeBSD.ORG Sat Jul 23 17:39:54 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F95D16A41F for ; Sat, 23 Jul 2005 17:39:54 +0000 (GMT) (envelope-from pcgeek86@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F80A43D45 for ; Sat, 23 Jul 2005 17:39:53 +0000 (GMT) (envelope-from pcgeek86@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so363139nzd for ; Sat, 23 Jul 2005 10:39:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=NQ7Ez2tKe8InZ9cBQihUF56er+9s9U0a+wg6Ehvjaqbq5F3VFTZ1JwGHOMBXdbtNXRjC7wzt3lN+hD2QMC8dC4I+9Z6mwuL2ZIsR2D2fP7RQikO7/oyOSbHzc5VY310DE6xZph563Bdah/gz1ljt9lJ5FijyTf9V2tIMBpelu5Q= Received: by 10.36.47.13 with SMTP id u13mr591282nzu; Sat, 23 Jul 2005 10:39:53 -0700 (PDT) Received: from ?10.100.100.15? ([66.92.128.235]) by mx.gmail.com with ESMTP id 20sm1348152nzp.2005.07.23.10.39.52; Sat, 23 Jul 2005 10:39:53 -0700 (PDT) Message-ID: <42E2839D.4000607@gmail.com> Date: Sat, 23 Jul 2005 12:51:25 -0500 From: Trevor Sullivan User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hornet , freebsd-questions@freebsd.org References: In-Reply-To: X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Restrict Tunneling thru SSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 17:39:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hornet wrote: > On 7/22/05, Trevor Sullivan wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 >> >> Hornet wrote: >> >>> On 7/21/05, Trevor Sullivan wrote: >>> >>>> Hello list, I am curious as to whether or not it is possible >>>> to restrict certain users from tunneling traffic through SSH. >>>> I would like to be able to tunnel my own traffic, but provide >>>> user logins that are restricted from accessing the rest of my >>>> inside network. Is it possible to restrict this by user? >>>> Thanks >>>> >>>> Trevor >>> >>> I'm pretty sure it is an all or nothing config option in >>> sshd.conf in the global sense. But you can make specific >>> options for specific hosts. >>> >> So could I possibly restrict SSH tunneling by IP (host)? I guess >> my concern is that if I create a user account, it will be able to >> tunnel to other machines on my network w/o restriction. Is the >> way to do this maybe a DMZ or separate VLAN? >> >> Trevor > > > Yes, should be able to do this via your sshd config. I would > recommend using webmin for this. I have not done this before, but > it looks do able. Are your user going to be using ssh, or is this > just a SMB box? If it is just a SMB box, then I would just set the > shell account to "nologin" since that is separate from the SMB > account. > > Also I guess you could set a up firewall and restrict the ports > that can talk on the LAN. > > -Erik- _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Well I was thinking about setting up vsftpd as my ftp server. I tried it a while ago and was having some issues with PAM while configuring virtual users so I decided to use pure-ftpd for a while because that was quite a bit easier to use. In the case of vsftpd, I don't really hope to setup virtual users (as big a PITA that was), so instead I'm going to just use unix authentication. I guess...I could still just set their shell to nologin huh? Didn't even think about that...lol. I do have a question though...I understand that for Mac OSX, there is a program that establishes SSH tunnels w/o actually being an SSH "client" per se...would this till allow the user to use something like that? Trevor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFC4oOdoGycRpOgdeERA36iAJoCN1k/Sf4nu1sx1ypgPhDeyyBREQCfUWKq t3a7LwrSKVZkPr44m4SsmiE= =g305 -----END PGP SIGNATURE-----