LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-12-2011, 08:54 PM   #1
jago25_98
Member
 
Registered: Jun 2001
Posts: 302

Rep: Reputation: 30
Allow ssh tunnel but disallow shell


I need a to allow a user to tunnel an ssh session but disallow them a bash shell.

# chsh -s /sbin/nologin {username} won't cut it...?

would permissions be the way to go with it? But how? Setup a group and add the user to that group? Or add all other users to that group... I'm confused

I don't need to chain to a new server unlike previous questions asked here.
 
Old 03-12-2011, 10:22 PM   #2
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 6,006

Rep: Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840
Allow user tunnel without shell.

Why?
I can think of no situation where a tunnel would be of significant use without a shell.
Encrypted sessions, chroot (actual or ssh/style), sftp-only, or restricted shell accounts I can understand, but why a tunnel-only account?


Check out IBSH (Iron Bound Shell) to see if it might serve your real purpose.
 
Old 03-13-2011, 12:22 PM   #3
jago25_98
Member
 
Registered: Jun 2001
Posts: 302

Original Poster
Rep: Reputation: 30
I have friends behind various firewalls (Libya, Australia, China & a few work environements). I trust them enough to let them use my dynamic port forwarding but IŽd rather not allow them a user account on the shell, fair point though
 
Old 03-14-2011, 10:18 AM   #4
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 6,006

Rep: Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840Reputation: 2840
proxy in disguise

I think that there are better ways to do it, but if that is what you want ...

Install IBSH and make it the shell for those accounts, then configure it so that the only commands they can run are 'exit' and 'logout'.

Permit their tunnel(s).
I would also set up automatic cleansing of the logs daily, so that I help no trace of their activity more than a few hours old.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disallow new ssh connections for a while ? Vilius Linux - General 1 01-06-2011 07:44 AM
SSH Tunnel Forwarding with no shell Unixscript Linux - Server 1 07-10-2010 01:58 AM
SSH tunnel server, no shell but still able to change pw? humbletech99 Linux - Security 4 05-08-2008 06:11 AM
How do I disallow ssh login by root? Seventh Linux - Newbie 1 03-26-2005 11:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration