tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Non-root tun-over-ssh?



Maybe I'm missing something- or maybe two things.

OpenSSH "tunnels" are app-level things, and have nothing to do with
the tun interface.
And ideally, the routing table should be untouched as well.
This requires either apps that have flexible connection settings (most
do) or the use of a tcpwrapper/netcat kind of program.

If this is not what you want at all, and you're talking about what I
think you might be, then OpenVPN is the solution :)

-SS
-- 
NUNQUAM NON PARATUS


On Mon, Sep 19, 2011 at 5:41 PM, John Klos <john%ziaspace.com@localhost> wrote:
>>> Does anyone know how I can use tunnels over OpenSSH with non-root users?
>>
>> Use sudo?
>>
>> Setting up a tunnel involves changing the routing table, which should only
>> be done by something with superuser permissions (regardless of the ownership
>> of /dev/tun* devices)...
>
> The issue is that the connecting machine is often outside of my physical
> control after it's set up, so I'd rather not have root equivalency between
> the connecting machine and the routing machine. I'd rather an unprivileged
> user have an account which can own a tunnel, but that's all - I can have an
> suid script actually configure the tunnel and add routes.
>
> Creating just a tunnel without configuring it shouldn't change the routing
> table, and changing ownership of the device in /dev/ is a pretty common
> thing (like giving serial ports to different people on a multiport serial
> card for accessing their own machine). I just don't know how OpenSSH can be
> configured to link the tunnel to the tun interface after seeing that
> ownership allows it.
>
> Thanks,
> John


Home | Main Index | Thread Index | Old Index