From owner-freebsd-security@FreeBSD.ORG Thu Sep 22 15:27:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E0E516A41F for ; Thu, 22 Sep 2005 15:27:22 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from addr9.addr.com (addr9.addr.com [38.113.244.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0234143D45 for ; Thu, 22 Sep 2005 15:27:21 +0000 (GMT) (envelope-from markzero@logik.ath.cx) Received: from logik.ath.cx (localhost [127.0.0.1]) by addr9.addr.com (8.12.11/8.12.8/Submit) with ESMTP id j8MFRJGr016876 for ; Thu, 22 Sep 2005 08:27:20 -0700 (PDT) Received: by logik.ath.cx (Postfix, from userid 1001) id E220162AB; Thu, 22 Sep 2005 16:27:18 +0100 (BST) Date: Thu, 22 Sep 2005 16:27:18 +0100 From: markzero To: freebsd-security@freebsd.org Message-ID: <20050922152718.GB91509@logik.internal.network> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline X-GPG-Key: http://darklogik.org/pub/pgp/pgp.txt X-Fingerprint: 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 X-ADDRSpamFilter: Passed, probability (1%) X-ADDRSignature: 1ABF5D4A Subject: Tunnel-only SSH keys X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 15:27:22 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello. I once read somewhere that it's possible to limit SSH pubkeys to 'tunnel-only'. I can't seem to find any information about this in any of the usual places. I'm going to be deploying a few servers in a couple of days and I'd like them to log to a central server over an SSH tunnel (using syslog-ng) however I'd like to prevent actual logins (hence 'tunnel-only'). Can this be done with OpenSSH? I'd like to try and stay away from the complexities of a chrooted-stunnel for now... cheers, M --=20 pgp: http://www.darklogik.org/pub/pgp/pgp.txt 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iQIVAwUBQzLNVRf7S3ICB+1DAQpHhRAAvno1gxbg3GrCsuKAf0ALMH9B/AOd6+od iSTGDMKGV3DatoZbyVTql13Sak8n9IUjt8RRoycmBgqYQXcggRrtuf40N4gI9kIK SjiSMWFxTDyxX/iyftb/ca+LA8eGbPCyJRfFW2ZO5hB6aX9Q0yFQjXlhmF+TsOTy VPiBbNp7bdK3lap1rSWxyvmtGl0jHzo4JY+5CU5GSGbQrf8hfCfuhksluCiSNMLq gi7+uBLs3Oa/F256FHYViShyN2BOKCksrXzPQ58FymfgZ+nRuN2yxfT1t8vvz3ZX 7C3bzkVZSyXpqDG6DWWl22Ypt7I9tOisFl0EAfxrNkY9B8h/UMhg/P7Hpi34Of95 NY/BWGO8U8iOMNuHTWDmxn1+EL+W8+P6eizAzdPbPtLBI6h3HCW0YXx96uVcD2Xp JkzbOxQlp12QEfrKBYcXJU1jrklZaE8KgM+cK3sSIMQNmnW5X5mbIWY9NZFl/d2x bVWBpfKXG/JWrXf1fxwPWHB8ZOtlvp9pk1dEAr7QC+c+H0g/7FtjJTVgPbNcf7DW amE+bprUo/bEw48Ow9ZYFYBHgalCGV+6Lwq/gobAe6sgCg4XYGZZTs8a6FGYP21B 2zu6St83ZjeT0tez+GbGy915e0raU0qyOokxevZ4ggRU4LRs7CFi3T9s3XP0t9p0 OhxjGv8to6Q= =3N/I -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--