Solved

how to setup a SSH user with minimal permissions?

Posted on 2011-09-30
5
316 Views
Last Modified: 2012-05-12
Hello Experts,

I need to setup a ssh user with the premission to create a ssh tunnel on localhost and no more rights to do anything else.

Can someone tell me how to create a user and restrict the shell excepting the tunnel?

I'm using ubuntu.

Thanks
0
Comment
Question by:k4hvd77
5 Comments
 
LVL 14

Accepted Solution

by:
sentner earned 500 total points
ID: 36892501
Your best bet is to change the user's shell to something that will run, but which does not allow commands to be run.  You could try the restricted shell if it's available on your system (http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html).  That will give a limited set of functionality.

Another option is to set the shell to something like a script or program that doesn't give them any ability to run anything, but which will exit cleanly when they end the session.  
0
 
LVL 77

Expert Comment

by:arnold
ID: 36892887
set the user with /bin/true as the shell (-s /bin/true).
Note that when they establish a connection, they must use the option to disable the shell request.
ssh -f user@remotehost -L port:remotehost:remoteport -R remoeport:local_named_host:local_named_hostport in putty, under the ssh settings, check the box not to require a console/shell (SSH, protocol, Don't start a shell  or command at all).
If the user does not use the -f flag when using ssh command on unix, or does not disable the starting of shell/command the connection will be dropped when /bin/true execution completes which is almost instantaneous.
 
0
 
LVL 9

Expert Comment

by:parparov
ID: 36894864
a small addendum to arnold's soltuion:
You need to use -N option not to request a shell, -f just sends the ssh into background.

From ssh's manual:
     -N      Do not execute a remote command.  This is useful for just for-
             warding ports (protocol version 2 only).

Open in new window

0
 
LVL 4

Author Comment

by:k4hvd77
ID: 36896162
Thanks for all answers but restricted shell is what I'm looking for.


0
 
LVL 9

Expert Comment

by:parparov
ID: 36896804
It's strange, for if you need to run a tunnel only, you don't need a shell at all (see my comment regarding -N option).
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux VM 6 101
centos linux 65 159
centos commands 6 69
Intel fortran compiler (ifort) 5 38
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question