?
Solved

SSH - Allow a user to forward ports but not to login to the shell

Posted on 2003-10-25
13
Medium Priority
?
1,579 Views
Last Modified: 2010-04-22
Hi All;

I want to setup SSH port forwarding, but I also want to keep users from actuallt logging into the system.

Anyone know how to allow SSH forwarding (plink on Windows) without actually allowing an SSH shell login?
0
Comment
Question by:Squeebee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
13 Comments
 
LVL 6

Expert Comment

by:mbarbos
ID: 9627686
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9628057
No. That made zero mention of creating a user that had no login privileged but could still forward ports and therefore wasted 10 minutes of my time.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9628243
Ohhh, excuse me for wasting your time.

Have ever heard about changing the users' shell to /sbin/nologin trick ? Try it, maybe it works.
0
Python: Series & Data Frames With Pandas

Learn the basics of Python’s pandas library of series & data frames and how we can use these tools for data manipulation.

 
LVL 17

Author Comment

by:Squeebee
ID: 9628293
No, it does not.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9630027
Of course it doesn't. Because it's a matter of respect and also a matter of knowing what you want to do. Your question and behaviour proves that you are a ignorant M$ visual basic script kiddie that just thinks he's a genius. You're not. You're probably just a little bit above average. And you have bad manners.

And, BTW, you should have now enough information to be able to figure out yourself what you have to do (that is if you really are above average)
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9630182
Well I at least know well enough to not submit links that take 10 minutes to read unless they actually do answer the question at hand.
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9630270
Just to clarify, the issue I had with your first response is that while is was a fine example of SSH tunneling, it had nothing to do with the setup of a server-side user that would have no shell access while still being able to open tunnels. The second suggestion simply results in user unavailable messages, but still does not permit tunneling. If I had set the points at sub-100 I would not mind links being thrown out to me without some proof that they work, but higher points means I expect specific answers.

That being said, does anyone have a solution?
0
 
LVL 9

Accepted Solution

by:
majorwoo earned 1400 total points
ID: 9635088
You could lock them in a shell of your own so they were unable to do anything else, although not correct, it's the only idea i've got off the top of my head:

#!/bin/bash
TIME=600
while [ 1 ]
do
  sleep $TIME
done

exit 0

it depends on what you are looking to do, this could easily add a timeout to the tunnel as after TIME it would disconnect them...

What is the goal of the tunnel without a login  here, access to another service behind your firewall?
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9635184
Yes, I wish to provide access to a database server's port, but the users have no real reason for a direct login.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 9635343
and you are using the tunnel as a security measure instead of just port forwarding?
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9635797
Two purposes: Get past a firewall and keep the session secure since the database session is otherwise plaintext. I will also eventually look at Stunnel for full deployment.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 9635930
Well the tunnel requires an active connections, so I don't believe you can actually prevent them from logging in and get it to work.   You could however make one account used specifically for this passthrough, and put it into the dummy shell I did earlier to prevent anyone from doing anything malicious with it, as exiting the shell (abnormally or not) would log them off and sever the tunnel -- this way even if someone gains access to the account there is nothing they could do other then tunnel ports -- (which is what would happen even if you had an account they didn't log into)

I'm assuming you already have your firewall setup to block everything else?
0
 
LVL 17

Author Comment

by:Squeebee
ID: 9636012
Yeah, locked down except for SSH port and port 80. I like that idea and think I will implement it.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question