Restricting remote access to a single IP address via SSH

The premise

SSH ImageOne of our clients has a Linux server.  What we want to do is SSH in and set up port forwarding for RDP to a PC that’s inside the network.  However, the user should be restricted to only access a certain IP address. For this example, I’m adding an account for Suresh, to access “remotehost.example.com”.  He will use this to create a tunnel, forwarding port 3306 to a PC on the remote network.

Setting up an SSH identity

First of all, create a user account with no shell:
$ sudo useradd --shell /bin/false --create-home suresh
$ sudo passwd suresh

Disconnect, then copy your ssh identity file to the destination server:

$ ssh-copy-id suresh@remotehost.example.com

Testing the SSH identity

Log into the user account through SSH once, to ensure that everything’s working.  Probably not necessary, but I do it anyway.
$ ssh suresh@remotehost.example.com
$ suresh@remotehost.example.com's password:
Test logging in through ssh; you should see something like this:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Tue Jul 29 19:08:30 NZST 2014

System load: 0.94 Processes: 165
Usage of /: 66.2% of 1.70TB Users logged in: 1
Memory usage: 38% IP address for virbr0: 192.168.1.2
Swap usage: 0%

Graph this data and manage this system at:
https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

-address-via-
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Connection to remotehost.example.com closed.

you@yourpc ~ $

Note that it connects, but immediately severs the connection.

Setting security permissions

The first step is to prevent the user from logging in without an SSH key by modifying the sshd_config file.
$ sudo nano /etc/ssh/sshd_config

Add the following (Note the indent in the second line. That’s important):

Match User suresh
    PasswordAuthentication no

Restart the ssh service for the change to take effect.

$ sudo service ssh restart

If you try to connect without your SSH key, you should now see:

Permission denied (publickey).

Now, to make it so the user can only access a single remote host:

$ sudo nano /home/suresh/.ssh/authorized_keys

You should see one line in there.  Pre-pend the line with:

permitopen="{target IP address}:{target port}"

Save and exit the file and give your newly configured SSH access a try

ssh -N suresh@remotehost.example.com

The ‘-N’ option tells the SSH session that you only want to open an SSH tunnel, as opposed to both a tunnel and a terminal session as per normal. Annoyingly you won’t even be returned with a nice ‘Successfully connected’ message (just a hanging process), but if you’re not hit with an error message you can be confident that the connection works.

Now the user can connect for port forwarding to a specific remote PC, but for nothing else.