SSH - Allow a user to forward ports but not to login to the shell

Hi All;

I want to setup SSH port forwarding, but I also want to keep users from actuallt logging into the system.

Anyone know how to allow SSH forwarding (plink on Windows) without actually allowing an SSH shell login?
LVL 17
SqueebeeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mihai BarbosTrying to tame bits. They're nasty.Commented:
0
SqueebeeAuthor Commented:
No. That made zero mention of creating a user that had no login privileged but could still forward ports and therefore wasted 10 minutes of my time.
0
Mihai BarbosTrying to tame bits. They're nasty.Commented:
Ohhh, excuse me for wasting your time.

Have ever heard about changing the users' shell to /sbin/nologin trick ? Try it, maybe it works.
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

SqueebeeAuthor Commented:
No, it does not.
0
Mihai BarbosTrying to tame bits. They're nasty.Commented:
Of course it doesn't. Because it's a matter of respect and also a matter of knowing what you want to do. Your question and behaviour proves that you are a ignorant M$ visual basic script kiddie that just thinks he's a genius. You're not. You're probably just a little bit above average. And you have bad manners.

And, BTW, you should have now enough information to be able to figure out yourself what you have to do (that is if you really are above average)
0
SqueebeeAuthor Commented:
Well I at least know well enough to not submit links that take 10 minutes to read unless they actually do answer the question at hand.
0
SqueebeeAuthor Commented:
Just to clarify, the issue I had with your first response is that while is was a fine example of SSH tunneling, it had nothing to do with the setup of a server-side user that would have no shell access while still being able to open tunnels. The second suggestion simply results in user unavailable messages, but still does not permit tunneling. If I had set the points at sub-100 I would not mind links being thrown out to me without some proof that they work, but higher points means I expect specific answers.

That being said, does anyone have a solution?
0
majorwooCommented:
You could lock them in a shell of your own so they were unable to do anything else, although not correct, it's the only idea i've got off the top of my head:

#!/bin/bash
TIME=600
while [ 1 ]
do
  sleep $TIME
done

exit 0

it depends on what you are looking to do, this could easily add a timeout to the tunnel as after TIME it would disconnect them...

What is the goal of the tunnel without a login  here, access to another service behind your firewall?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SqueebeeAuthor Commented:
Yes, I wish to provide access to a database server's port, but the users have no real reason for a direct login.
0
majorwooCommented:
and you are using the tunnel as a security measure instead of just port forwarding?
0
SqueebeeAuthor Commented:
Two purposes: Get past a firewall and keep the session secure since the database session is otherwise plaintext. I will also eventually look at Stunnel for full deployment.
0
majorwooCommented:
Well the tunnel requires an active connections, so I don't believe you can actually prevent them from logging in and get it to work.   You could however make one account used specifically for this passthrough, and put it into the dummy shell I did earlier to prevent anyone from doing anything malicious with it, as exiting the shell (abnormally or not) would log them off and sever the tunnel -- this way even if someone gains access to the account there is nothing they could do other then tunnel ports -- (which is what would happen even if you had an account they didn't log into)

I'm assuming you already have your firewall setup to block everything else?
0
SqueebeeAuthor Commented:
Yeah, locked down except for SSH port and port 80. I like that idea and think I will implement it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.