Solved

how to setup a SSH user with minimal permissions?

Posted on 2011-09-30
5
319 Views
Last Modified: 2012-05-12
Hello Experts,

I need to setup a ssh user with the premission to create a ssh tunnel on localhost and no more rights to do anything else.

Can someone tell me how to create a user and restrict the shell excepting the tunnel?

I'm using ubuntu.

Thanks
0
Comment
Question by:k4hvd77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
sentner earned 500 total points
ID: 36892501
Your best bet is to change the user's shell to something that will run, but which does not allow commands to be run.  You could try the restricted shell if it's available on your system (http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html).  That will give a limited set of functionality.

Another option is to set the shell to something like a script or program that doesn't give them any ability to run anything, but which will exit cleanly when they end the session.  
0
 
LVL 78

Expert Comment

by:arnold
ID: 36892887
set the user with /bin/true as the shell (-s /bin/true).
Note that when they establish a connection, they must use the option to disable the shell request.
ssh -f user@remotehost -L port:remotehost:remoteport -R remoeport:local_named_host:local_named_hostport in putty, under the ssh settings, check the box not to require a console/shell (SSH, protocol, Don't start a shell  or command at all).
If the user does not use the -f flag when using ssh command on unix, or does not disable the starting of shell/command the connection will be dropped when /bin/true execution completes which is almost instantaneous.
 
0
 
LVL 9

Expert Comment

by:parparov
ID: 36894864
a small addendum to arnold's soltuion:
You need to use -N option not to request a shell, -f just sends the ssh into background.

From ssh's manual:
     -N      Do not execute a remote command.  This is useful for just for-
             warding ports (protocol version 2 only).

Open in new window

0
 
LVL 4

Author Comment

by:k4hvd77
ID: 36896162
Thanks for all answers but restricted shell is what I'm looking for.


0
 
LVL 9

Expert Comment

by:parparov
ID: 36896804
It's strange, for if you need to run a tunnel only, you don't need a shell at all (see my comment regarding -N option).
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question