how to setup a ssh acount with no terminal but port forwarding?

4

I am trying to set up a new user account I can give to friends so they can SSH into my forward computer, and only allow forwarding of certain ports.

I do not want my friends to have a shell, or be able to change what ports to where they are allowed to forward.

example session: joe(friend) connects using PuTTY (that I have pre-set, he isn't good with computers) to example.com(my Internet facing computer) forwarding ports 8080,1990,25565 to him(with what ever end ports he wants, preferably they stay the same numbers) example ssh command to do similar (but he can still change the ports on my computer!)

ssh -N restricteduser@example.com -p443 -L8080:192.168.1.2:8080 -L1990:127.0.0.1:1990 -L25565:127.0.0.1:25565

then, same story with other friend smith(same ports, same user even) except he is using linux, so cant use putty.

is it possible to also leave default SSH functinality for all other users but this one?

I found this when I was searching google, but alas, I did not quite understand what was being suggested, and I don't think they covered restricting port forwarding

admalledd

Posted 2011-01-29T04:38:43.103

Reputation: 175

Good question.. – atx – 2011-01-29T04:46:08.393

Answers

4

The simplest way that comes to mind for me is to disable SFTP, and change the shell to /usr/sbin/nologin or the like (a program that simply prints "This account is currently not available." and exits)

If you have no worries about them storing files under their user on your machine, then you're an /etc/passwd away from a solution. If you're worried about them filling your hard drive with junk, might I suggest setting up quotas? ;)

As to restricting ports usable, the "permitopen" in sshd_config should serve that purpose nicely. It won't quite do what you want, as it can only disallow all except a given set of host targets for -L forwards, but it might be feasible to run a separate sshd specifically for these users, given you have such specific needs for their restriction.

Jeremy Sturdivant

Posted 2011-01-29T04:38:43.103

Reputation: 2 108

will try, sounds like it might work. if this works well enough i will select it as the answer. – admalledd – 2011-01-29T05:24:55.913

problems with this as I tried it: shell for new user should be /bin/rbash, with a modified $PATH to blank, disallowing any and all commands, while also not have the ssh session closed upon connect (as with /user/sbin/nologin ) and use the match $username in sshd config works nicely to change all the settings needed on a per user basis. – admalledd – 2011-01-30T00:42:54.150

1With -N, a remote shell should never be started, (This might actually need -T, but I don't think so.) thus nologin isn't executed for just port forwarding. Setting PATH to blank doesn't help if someone either knows how to set variables, or doesn't mind running a command with the full path of the command (e.g., /usr/bin/nmap) – Jeremy Sturdivant – 2011-01-30T16:45:01.370

because the idea is that i cant trust users to add -N I use /bin/rbash (not the 'r') you cant set environment variables, or execute commands with a '/' in them (this includes ./foo and /bin/*) – admalledd – 2011-01-31T04:34:38.290

So rather than simply booting users that don't use -N, you give them a shell that does not allow them to do anything, by some standard? You could always set their shell to /bin/cat just as easily... – Jeremy Sturdivant – 2011-01-31T14:19:49.977

Asked: 2011-01-29T04:38:43.103

Viewed: 4 388 times

Active: 2011-01-29T05:20:50.887