Hosting Provided By

Re: More on passwordless logins

From: Brian Hatch <secure-shell(at)ifokr.org>
Date: Fri Jun 27 2003 - 14:47:18 EDT

> My only concern is having created a user specifically for

Yes, you can definitely have non-root users establish a PPP over SSH VPN. You'll need to set up 'sudo' on both ends, and grant the VPN user the ability to run pppd with the correct options. (You should be as detailed in your sudoers file as possible to prevent this account from doing anything they shouldn't.)

It's a bit tricky to get all the quotes and backslashes in the right spot since you'll have the sudo command plus the pppd command on the SSH command line, so you'll probably want to use a shell script on both ends. Also, I'd highly recomend using the 'command=' option in authorized_keys to force this script and not allow this user to do anything but attempt to create a VPN. And, if you want to have even more security, have native PPP authentication (pap/chap) occur as well.

For a detailed set of scripts to do this, get Building Linux VPNs. (Sorry for the plug - I wish I could have the scripts online, but they're password protected.)

--
Brian Hatch                  You need to shave.  If I
   Systems and                met you on the street, I'd
   Security Engineer          cross to avoid you.
http://www.ifokr.org/bri/    --Bree

Every message PGP signed

application/pgp-signature attachment: stored

Received on Fri Jun 27 18:48:12 2003

This message: [ Message body ]
Next message: Greg A. Woods: "Re: Securing ssh tunnels."
Previous message: Roy S. Rapoport: "Re: Second instance if SSH not running"
In reply to Ifan Jones: "More on passwordless logins"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:00 EDT

Do you need help?