From f42344ebe80aafa241831555dd89023f3241b47c Mon Sep 17 00:00:00 2001 From: sysadminmatmoz Date: Sun, 14 Sep 2025 22:02:48 +0200 Subject: [PATCH] Document restricted key setup for tunnel-only access in README, including creation, configuration, and troubleshooting steps --- README.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/README.md b/README.md index 020bff3..a120ab8 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,94 @@ Packaged example: /usr/share/backtunnel/profiles.ini --- +## 🔒 Temporary, tunnel-only access (restricted key) + +By default, if you install a normal SSH key on the sharing machine, that key could also be used for direct SSH (if the server is reachable). To keep access **strictly temporary** and **usable only through the reverse tunnel**, use a **restricted key** in `authorized_keys`. + +This approach: +- **Allows SFTP/sshfs only** (no shell). +- **Only works via the reverse tunnel** (server sees the client as `127.0.0.1`). +- **Stops working** automatically when the reverse tunnel (started by `backtunnel-share`) ends. + +### 1) Create a dedicated key on the client (access side) + +```bash +ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_backtunnel -C backtunnel +``` + +### 2) Copy the public key to the server via the tunnel once + +You’ll be prompted for the server password this one time, while the tunnel is up. + +```bash +ssh-copy-id -p 2222 -i ~/.ssh/id_ed25519_backtunnel.pub user@localhost +``` + +### 3) Restrict that key in authorized_keys on the server + +Edit the newly added line for this key in ~/.ssh/authorized_keys on the server and prefix it with: + +```ini +from="127.0.0.1",command="internal-sftp",restrict +``` + +The final line should look like: + +```ini +from="127.0.0.1",command="internal-sftp",restrict ssh-ed25519 AAAAC3... backtunnel +``` + +- from="127.0.0.1" limits use to connections that arrive via the reverse tunnel. +- command="internal-sftp" forces SFTP only (sshfs uses SFTP). +- restrict implies no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding. + +💡 One-liner (no editor): prepend restrictions while appending your key +```bash +( printf 'from="127.0.0.1",command="internal-sftp",restrict '; cat ~/.ssh/id_ed25519_backtunnel.pub ) \ +| ssh -p 2222 user@localhost 'umask 077; mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys' +``` + +### 4) Use as normal with BackTunnel + +Start the share on the server: + +```bash +backtunnel-share /path/to/folder with user@REMOTE for 2h +``` + +Mount on the client (no password prompts now): + +```bash +mkdir -p ~/remote-rssh +backtunnel-access /path/to/folder from user@REMOTE -p 2222 -m ~/remote-rssh +``` + +### 5) Cleanup (optional) + +After you’re done, remove the restricted key line from ~/.ssh/authorized_keys on the server (or keep it for next time—it's safe: it only works via the tunnel, and only for SFTP). + +> If you keep it, the key does not grant shell access and cannot be used over the network directly thanks to from="127.0.0.1". + +--- + +### Troubleshooting + +- If sftp -P 2222 user@localhost or sshfs still asks for a password: + + - The restricted key line may be malformed (missing comma or options). + - File permissions: ~/.ssh should be 700, authorized_keys should be 600 on the server. + - Too many keys tried: you can force the key with: + +```bash +ssh -i ~/.ssh/id_ed25519_backtunnel -p 2222 user@localhost true +``` + +- If your mount point is ~-based, don’t quote it (~/remote-rssh is OK; '~/remote-rssh' won’t expand). + +If you’d also like a brief “restricted key” note in the man page later, say the word and I’ll hand you a ready-to-paste `.1` section too. + +--- + ### 🖥️ Dolphin Service Menus Two context actions for Dolphin are installed: