Solved

how to setup a SSH user with minimal permissions?

Posted on 2011-09-30
5
320 Views
Last Modified: 2012-05-12
Hello Experts,

I need to setup a ssh user with the premission to create a ssh tunnel on localhost and no more rights to do anything else.

Can someone tell me how to create a user and restrict the shell excepting the tunnel?

I'm using ubuntu.

Thanks
0
Comment
Question by:k4hvd77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
sentner earned 500 total points
ID: 36892501
Your best bet is to change the user's shell to something that will run, but which does not allow commands to be run.  You could try the restricted shell if it's available on your system (http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html).  That will give a limited set of functionality.

Another option is to set the shell to something like a script or program that doesn't give them any ability to run anything, but which will exit cleanly when they end the session.  
0
 
LVL 79

Expert Comment

by:arnold
ID: 36892887
set the user with /bin/true as the shell (-s /bin/true).
Note that when they establish a connection, they must use the option to disable the shell request.
ssh -f user@remotehost -L port:remotehost:remoteport -R remoeport:local_named_host:local_named_hostport in putty, under the ssh settings, check the box not to require a console/shell (SSH, protocol, Don't start a shell  or command at all).
If the user does not use the -f flag when using ssh command on unix, or does not disable the starting of shell/command the connection will be dropped when /bin/true execution completes which is almost instantaneous.
 
0
 
LVL 9

Expert Comment

by:parparov
ID: 36894864
a small addendum to arnold's soltuion:
You need to use -N option not to request a shell, -f just sends the ssh into background.

From ssh's manual:
     -N      Do not execute a remote command.  This is useful for just for-
             warding ports (protocol version 2 only).

Open in new window

0
 
LVL 4

Author Comment

by:k4hvd77
ID: 36896162
Thanks for all answers but restricted shell is what I'm looking for.


0
 
LVL 9

Expert Comment

by:parparov
ID: 36896804
It's strange, for if you need to run a tunnel only, you don't need a shell at all (see my comment regarding -N option).
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question