Fedora 8 Restricted SSH (rssh) package available?

[cwebster]

Is there an rssh server RPM or SRPM available for Fedora 8 on any of the repos?

I originally posted this topic in the "General" forum but this forum felt like a more appropriate place.

I've only been able to find the SRPM and source tar-ball at http://www.pizzashack.org/rssh/. I downloaded the SRPM but was hoping to find it in one of the Fedora repos. Also, there doesn't appear to have been any development on this for over 2 years. If the project is maintained elsewhere or there is a better alternative, would someone let me know?

I need to allow only VNC tunnelling through SSH (NO file transfers) for certain users over one interface but unrestricted ssh for other users on both interfaces of a gateway machine. I figure I can configure both rsshd and sshd to run together on different ports to allow use of restricted ssh for some users and unrestricted ssh for others.

We use MIndTerm (Java SSH) client on our Windoze boxes and openssh on Linux. I've tested VNC tunneling Win<->F8 and RHEL4/RHL9<->F8 using DSA key pairs and it works well. The problem is that this also gives them access to a shell. I cannot permit file transfers over these tunnels, only RFB (VNC) streams. I figure using RSSH to a chrooted environment with no scp sftp available would meet our needs.

Thanks for any pointers or suggestions.

./Cal

[stevea]

Please prove me wrong, but once the restricted users have access to the remote desktop there are dozens of tools and ways to send the remote files to their local systems. They could use client ftp, ssh or even nc. Even cut-n-paste from a screen, de-/en-coding binaries with btoa if they wished

It's an odd requirement to give users only remote-only access to files. No offense but is sounds more like a case of overbearing administration rather than a real security need. Or else I don't understand your problem.

Could you explain your problem/goals/motivations rather than your proposed solution (which can't be very effective I think).
--
As I understand it the OpenSsh sshd daemon requires the user have a shell login at least to create the initial command sequence. So even if I only foraward a port, he initial channel to a shell exists (tho' it doesn't create a pseudo-teminal instance). So I belieeve that the openSsh daemon will not provide the restrictions you suggest. You may be able to use a restricted shell for the users and thus limit their access. Alternatively you should seek out another ssh server, as you have.

[leigh123linux]

Quote:

Originally Posted by cwebster

Is there an rssh server RPM or SRPM available for Fedora 8 on any of the repos?

I originally posted this topic in the "General" forum but this forum felt like a more appropriate place.

I've only been able to find the SRPM and source tar-ball at http://www.pizzashack.org/rssh/. I downloaded the SRPM but was hoping to find it in one of the Fedora repos. Also, there doesn't appear to have been any development on this for over 2 years. If the project is maintained elsewhere or there is a better alternative, would someone let me know?

I need to allow only VNC tunnelling through SSH (NO file transfers) for certain users over one interface but unrestricted ssh for other users on both interfaces of a gateway machine. I figure I can configure both rsshd and sshd to run together on different ports to allow use of restricted ssh for some users and unrestricted ssh for others.

We use MIndTerm (Java SSH) client on our Windoze boxes and openssh on Linux. I've tested VNC tunneling Win<->F8 and RHEL4/RHL9<->F8 using DSA key pairs and it works well. The problem is that this also gives them access to a shell. I cannot permit file transfers over these tunnels, only RFB (VNC) streams. I figure using RSSH to a chrooted environment with no scp sftp available would meet our needs.

Thanks for any pointers or suggestions.

./Cal

I have deleted your double post as it is against forum rules ! , Please don't double post again !

[cwebster]

Thank you for taking an interest, stevea. I can understand why this sounds like an "odd requirement" and might be characterized as "overbearing" to an outsider. I'll explain so you can understand my position.

Software developers and engineers on an isolated network need Internet access to conduct research. There are Information Assurance rules in place that prohibit direct connectivity to the Internet. No file transfers at all are permitted, only simple keyboard, video, mouse (RFB protocol - VNC) traffic and only through ssh tunnels.

Instead, there is a single Fedora 8 machine separated from the isolated network by a firewall that only permits ssh traffic coming from the private side to pass only to the single Fedora machine's private interface on the public side of the firewall. The Fedora machine's public interface permits only outbound traffic to the Internet through a proxy server. IP forwarding is disabled.

We have the tunneled VNC connections working but we need to restrict the ssh connections so that only the tunneled ports can be maintained without any shell or ssh commands available. I want the users to use a restricted account to connect to sshd on the Fedora machine to setup the ssh tunnel. Using VNC, they can then open an X session using their normal Linux account. Copying and pasting text from the VNC window does not present a security risk for us.

I can certainly understand your moral objections to extreme IA policies such as I have described. However, we have to work within the rules if these developers and engineers are to have any Internet access at all.

[cwebster]

Quote:

Originally Posted by leigh123@linux

I have deleted your double post as it is against forum rules ! , Please don't double post again !

My apologies. I suppose I should have deleted the post to the "General" forum after opening this one. I usually post to only one forum. Thank you for the reminder.

[cwebster]

I have downloaded the SRPM for rssh from http://www.pizzashack.org/rssh/ since I could find the binary RPM in no Fedora repositories. I built, installed, and setup a basic configuration including a chroot jail. I'm now trying various configurations to see if I can setup a ssh tunneled port like the one below without permitting anything else.

Example of client command to open tunneled port on Linux:

Code:

ssh -l kvm -i .ssh/id_dsa_kvm -L 15973:127.0.0.1:5973 192.168.1.100

./Cal

[cwebster]

For anyone looking at this thread in the future, rssh won't help either because it will not allow tunneling any ports.

"stunnel" is exactly what I need for protecting services that have no other method of encryption. It uses SSL to tunnel arbitrary protocols between machines.