Issue
A user needs secure access to a service behind a firewall. In this case the users system is Windows 10 and the server runs Debian Linux.
The user do not need a shell on the server, and it’s always good to be restrictive with access.
Solution
Server
First of all you need to create a account for the user on the server.
There’s going to be a lot of sudoing, which appears to be best practice. I prefer just running sudo -i and be done with it.
The user will login and create the ssh tunnel using a rsa key instead of a password. However, some systems disables any login for accounts without a password. So to be on the safe side it’s best to set a password.
You can use something like openssl rand -base64 32 or date +%s | sha256sum | base64 | head -c 32 ; echo or just use your favorite password generator.
Copy the password, run adduser and answer the questions.
adduser username
Disable shell access for the user.
chsh -s /usr/sbin/nologin username
Then create a ssh folder for the user and set appropriate permissions.
mkdir /home/username/.ssh
chown username:username /home/username/.ssh
chmod 700 /home/username/.ssh
Generate a ssh rsa keypair.
ssh-keygen -f /home/username/.ssh/rsa_key
Leaving the password empty is possible as long as one realize that the keyfile is the password and should be treated accordingly.
You should now have a private key named rsa_key and a public key named rsa_key.pub. rsa_key is just an example, you can name the keyfiles anything.
In order to allow ssh login the key must be added to the users authorized_keys. And permissions need to be set.
cd /home/username/.ssh
cat rsa_key.pub >> authorized_keys
chown username:username *
chmod 600 *
Finally the private key needs to be placed on the users computer. One way would be to simply use scp or pscp to transfer it.
Once the private key is copied you can delete it from the server.
Client
For the client we’ll use plink.exe
But before running plink the private key generated by ssh must be converter to a format readable by plink. Luckily the linked page with plink also contains the program we need. So go ahead and get puttygen.exe as well.
Then just run puttygen.exe and click “Load” to select and load your (the users) private key.
Once the key is loaded you just click “Save private key” to save it. Save as rsa_key.ppk or similar.
Close puttygen.
Feel free to delete the old key.
Make sure the key is saved at a safe place and that only the user who needs it has permission to read it.
Finally you are ready to create a ssh tunnel.
To give the user access to port 8080 execute plink like this.
plink.exe -i rsa_key.ppk -l username -L 8080:127.0.0.1:8080 my.hostname.com
To make your users life easier you could put the command in a .bat file 🙂
More Stories