Remove ability for `gvm` user to obtain shell and restrict the port-forwards possible

[ndejong]

trafficstars

Is your feature request related to a problem? Please describe. Currently it appears sshd_config is restricted to the gvm user with nicely appropriate authentication and encryption settings.

However, this sshd_config does not prevent the gvm user from being able to establish a shell or creating arbitrary port-forwards.

In the undesirable situation where the associated SSH private-key ends up in the wrong hands it would be better if the gvm user had less freedoms and was more limited in what it can achieve beyond the ssh-port-forward requirement.

Describe the solution you'd like Add restrictions to sshd_config and the gvm user by introducing configuration items as suggested below - I do not have a test/development environment available to confirm the config below can be cut-n-paste into place - presented here as a guide and outline the intent.

PermitTunnel no
GatewayPorts no
AllowTcpForwarding no
AllowStreamLocalForwarding no

Match User gvm
   AllowTcpForwarding yes
   PermitOpen 127.0.0.1:9390
   ForceCommand /bin/false

Describe alternatives you've considered None

Additional context None

[pixelsquared]

The issue is that the GVM connects to a UNIX socket to talk to the scanner. So setting AllowStreamLocalForwarding no will not work.

That is the reason that the "scanner id" exists so that each scanner has a unique filename.

You can see the script that is used to connect here.

Adding the following should be possible but I have not yet tested.

PermitTunnel no # The default is no already
AllowTcpForwarding no
ForceCommand /bin/false

If you have any other ideas on how we could improve the security of the remote scanners that would be helpful.

[Dexus]

We can do something like described here: https://www.skreutz.com/posts/unix-domain-socket-forwarding-with-openssh/