PMISuite/BackTunnel
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document restricted key setup for tunnel-only access in README, including creation, configuration, and troubleshooting steps

Browse Source
This commit is contained in:
Matjaž Mozetič
2025-09-14 22:02:48 +02:00
parent 2af7303288
commit f42344ebe8
1 changed files with 88 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
README.md
View File

@@ -70,6 +70,94 @@ Packaged example: /usr/share/backtunnel/profiles.ini
--- ---
## 🔒 Temporary, tunnel-only access (restricted key)
By default, if you install a normal SSH key on the sharing machine, that key could also be used for direct SSH (if the server is reachable). To keep access **strictly temporary** and **usable only through the reverse tunnel**, use a **restricted key** in `authorized_keys`.
This approach:
- **Allows SFTP/sshfs only** (no shell).
- **Only works via the reverse tunnel** (server sees the client as `127.0.0.1`).
- **Stops working** automatically when the reverse tunnel (started by `backtunnel-share`) ends.
### 1) Create a dedicated key on the client (access side)
```bash
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_backtunnel -C backtunnel
```
### 2) Copy the public key to the server via the tunnel once
Youll be prompted for the server password this one time, while the tunnel is up.
```bash
ssh-copy-id -p 2222 -i ~/.ssh/id_ed25519_backtunnel.pub user@localhost
```
### 3) Restrict that key in authorized_keys on the server
Edit the newly added line for this key in ~/.ssh/authorized_keys on the server and prefix it with:
```ini
from="127.0.0.1",command="internal-sftp",restrict
```
The final line should look like:
```ini
from="127.0.0.1",command="internal-sftp",restrict ssh-ed25519 AAAAC3... backtunnel
```
- from="127.0.0.1" limits use to connections that arrive via the reverse tunnel.
- command="internal-sftp" forces SFTP only (sshfs uses SFTP).
- restrict implies no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding.
💡 One-liner (no editor): prepend restrictions while appending your key
```bash
( printf 'from="127.0.0.1",command="internal-sftp",restrict '; cat ~/.ssh/id_ed25519_backtunnel.pub ) \
| ssh -p 2222 user@localhost 'umask 077; mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys'
```
### 4) Use as normal with BackTunnel
Start the share on the server:
```bash
backtunnel-share /path/to/folder with user@REMOTE for 2h
```
Mount on the client (no password prompts now):
```bash
mkdir -p ~/remote-rssh
backtunnel-access /path/to/folder from user@REMOTE -p 2222 -m ~/remote-rssh
```
### 5) Cleanup (optional)
After youre done, remove the restricted key line from ~/.ssh/authorized_keys on the server (or keep it for next time—it's safe: it only works via the tunnel, and only for SFTP).
> If you keep it, the key does not grant shell access and cannot be used over the network directly thanks to from="127.0.0.1".
---
### Troubleshooting
- If sftp -P 2222 user@localhost or sshfs still asks for a password:
- The restricted key line may be malformed (missing comma or options).
- File permissions: ~/.ssh should be 700, authorized_keys should be 600 on the server.
- Too many keys tried: you can force the key with:
```bash
ssh -i ~/.ssh/id_ed25519_backtunnel -p 2222 user@localhost true
```
- If your mount point is ~-based, dont quote it (~/remote-rssh is OK; '~/remote-rssh' wont expand).
If youd also like a brief “restricted key” note in the man page later, say the word and Ill hand you a ready-to-paste `.1` section too.
---
### 🖥️ Dolphin Service Menus ### 🖥️ Dolphin Service Menus
Two context actions for Dolphin are installed: Two context actions for Dolphin are installed: