Being an IT person in China can often be a challenge, especially when you’re roaming the interwebz for information. The great firewall of China does stop innocuous content like the angularjs docs or gmail. I think this is harmful to a whole generation of young Chinese IT enthusiasts but that’s a subject for another post. The Great firewall is now pretty elaborate mixing DNS poisoning, plain blacklisting and DPI. It is very difficult today to use a standard VPN protocol as the DPI will detect it and shut the connection. For that reason I turned myself to a simple SSH tunnel for my browser complemented with foxyproxy (website blocked in China) and I’m all set.
I got myself a tiny digitalocean droplet in Singapore and wanted to create a dedicated proxy account on my server with essentially no rights on the machine other than connect and tunnel.
- Create a user called sshproxy with a restricted shell and no password:
$ sudo adduser --shell /bin/rbash --disabled-password sshproxy
- Restrict the SSH possibilities by editing /home/sshproxy/.ssh/authorized_keys, don’t forget to put the proper RSA/DSA key in place of ssh-rsa AAAA...==:
command="echo 'This account can only be used for proxy tunnel'",no-agent-forwarding,no-X11-forwarding ssh-rsa AAAA...== me@laptop
- Remove any direct access to binaries by editing /home/sshproxy/.profile, this should avoid temptation:
- Set a login message in /etc/sshproxy_banner, this is an optional step:
This is a restricted account for proxy only.
- Set this user to authenticate by RSA/DSA key only by adding the following to /etc/ssh/sshd_config:
# ssh proxy Match User sshproxy PasswordAuthentication no Banner /etc/sshproxy_banner
- Fix the various files rights and ownerships:
$ sudo chmod 444 /home/sshproxy/.bash_logout /home/sshproxy/.bashrc /home/sshproxy/.profile $ sudo chown sshproxy: /home/sshproxy/.ssh /home/sshproxy/.ssh/authorized_keys $ sudo chmod 600 /home/sshproxy/.ssh/authorized_keys $ sudo chmod 555 /home/sshproxy