Create a secure shell for SSH proxy/tunnel

Stefan "hr" Berder // // security

Being an IT person in China can often be a challenge, especially when you’re roaming the interwebz for information. The great firewall of China does stop innocuous content like the angularjs docs or gmail. I think this is harmful to a whole generation of young Chinese IT enthusiasts but that’s a subject for another post. The Great firewall is now pretty elaborate mixing DNS poisoning, plain blacklisting and DPI. It is very difficult today to use a standard VPN protocol as the DPI will detect it and shut the connection. For that reason I turned myself to a simple SSH tunnel for my browser complemented with foxyproxy (website blocked in China) and I’m all set.

I got myself a tiny digitalocean droplet in Singapore and wanted to create a dedicated proxy account on my server with essentially no rights on the machine other than connect and tunnel.

  • Create a user called sshproxy with a restricted shell and no password:
$ sudo adduser --shell /bin/rbash --disabled-password sshproxy
  • Restrict the SSH possibilities by editing /home/sshproxy/.ssh/authorized_keys, don’t forget to put the proper RSA/DSA key in place of ssh-rsa AAAA...==:
command="echo 'This account can only be used for proxy tunnel'",no-agent-forwarding,no-X11-forwarding ssh-rsa AAAA...== me@laptop
  • Remove any direct access to binaries by editing /home/sshproxy/.profile, this should avoid temptation:
PATH=""
  • Set a login message in /etc/sshproxy_banner, this is an optional step:
This is a restricted account for proxy only.
  • Set this user to authenticate by RSA/DSA key only by adding the following to /etc/ssh/sshd_config:
# ssh proxy
Match User sshproxy
    PasswordAuthentication no
    Banner /etc/sshproxy_banner
  • Fix the various files rights and ownerships:
$ sudo chmod 444 /home/sshproxy/.bash_logout /home/sshproxy/.bashrc /home/sshproxy/.profile
$ sudo chown sshproxy: /home/sshproxy/.ssh /home/sshproxy/.ssh/authorized_keys
$ sudo chmod 600 /home/sshproxy/.ssh/authorized_keys
$ sudo chmod 555 /home/sshproxy