Here’s the situation: your colleague is working on laptop C. They need to get into server A. Server A is behind a firewall, and can create outbound connections, but inbound connections are not allowed. You have access to an internet server B, but you don't want to allow full shell access on there to your colleague.
The solution is to create two restricted users on server B, let’s call them
casey. Server A will then SSH out to server B as user
alex, and open a port listening on server B that forwards back to SSH on server A. Your colleague will then SSH from laptop C as user
casey, using server B as a jumphost back to itself, and from there on to server A.
Confused? It’s not quite as complicated as it sounds. Here are the practical steps you need to take.
On server B
Create two users:
adduser alex --shell=/bin/true --disabled-password
adduser casey --shell=/bin/rbash --disabled-password
--disabled-password, you will need to set up SSH keys for the two users. This is a simple process but is outside the scope of this article. Its advantages are that it’s more secure than a password, and also more convenient to users as it doesn’t require typing two passwords on every connection attempt. Alternatively just leave this option out and you can use passwords for authentication.)
Add the following section at the end of
Match User alex
Match User casey
PermitOpen 127.0.0.1:12345 [::1]:12345
ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)'
systemctl restart sshd.service
On server A
ssh -R 12345:localhost:22 -N alex@serverB
(Note: you probably want to run this command inside
screen or something similar, so that it will keep running without needing to leave the terminal open.)
On laptop C
ssh -p 12345 email@example.com -J casey@serverB
user is the user account on server A that your colleague needs to access. It is unrelated to
casey, which are accounts on server B only)
Done! You colleague should now have an SSH connection open on server A. The restrictions on the user accounts mean that your colleague can’t do anything on server B, and anyone connecting out from server A can’t do anything on server B either.