Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

how to setup a SSH user with minimal permissions?

Posted on 2011-09-30
5
Medium Priority
?
327 Views
Last Modified: 2012-05-12
Hello Experts,

I need to setup a ssh user with the premission to create a ssh tunnel on localhost and no more rights to do anything else.

Can someone tell me how to create a user and restrict the shell excepting the tunnel?

I'm using ubuntu.

Thanks
0
Comment
Question by:k4hvd77
5 Comments
 
LVL 14

Accepted Solution

by:
sentner earned 2000 total points
ID: 36892501
Your best bet is to change the user's shell to something that will run, but which does not allow commands to be run.  You could try the restricted shell if it's available on your system (http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html).  That will give a limited set of functionality.

Another option is to set the shell to something like a script or program that doesn't give them any ability to run anything, but which will exit cleanly when they end the session.  
0
 
LVL 80

Expert Comment

by:arnold
ID: 36892887
set the user with /bin/true as the shell (-s /bin/true).
Note that when they establish a connection, they must use the option to disable the shell request.
ssh -f user@remotehost -L port:remotehost:remoteport -R remoeport:local_named_host:local_named_hostport in putty, under the ssh settings, check the box not to require a console/shell (SSH, protocol, Don't start a shell  or command at all).
If the user does not use the -f flag when using ssh command on unix, or does not disable the starting of shell/command the connection will be dropped when /bin/true execution completes which is almost instantaneous.
 
0
 
LVL 9

Expert Comment

by:parparov
ID: 36894864
a small addendum to arnold's soltuion:
You need to use -N option not to request a shell, -f just sends the ssh into background.

From ssh's manual:
     -N      Do not execute a remote command.  This is useful for just for-
             warding ports (protocol version 2 only).

Open in new window

0
 
LVL 4

Author Comment

by:k4hvd77
ID: 36896162
Thanks for all answers but restricted shell is what I'm looking for.


0
 
LVL 9

Expert Comment

by:parparov
ID: 36896804
It's strange, for if you need to run a tunnel only, you don't need a shell at all (see my comment regarding -N option).
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month12 days, 1 hour left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question