83

How can I restrict a user on the SSH server to allow them only the privileges for SSH tunneling? i.e. So they cannot run commands even if they log in via SSH.

My Linux servers are Ubuntu 11.04 and OpenWrt.

Improve this question

3 Answers 3

Reset to default
85

On the server side, you can restrict this by setting their user shell to /bin/true. This will allow them to authenticate, but not actually run anything since they don't get a shell to run it in. This means they will be limited to whatever subset of things SSH is able to offer them. If it offers port forwarding, they will still be able to do that.

On the client side, you will probably want to connect with the -N. This stops the client from ASKING for a remote command such as a shell, it just stops after the authentication part is done. Thanks to commentors for pointhing this out.

Improve this answer
8
  • I will try this one out:P thx!
    – LanceBaynes
    Commented Jun 3, 2011 at 9:41
  • 3
    To add to Caleb's answer, you may also need to tell the client to not to execute a shell. With the openssh command line, this is done with the -N flag. There is a similar option in PuTTY, but I don't recall the exact name.
    – Bill B
    Commented Jun 3, 2011 at 19:28
  • 3
    Sorry, I wasn't clear - I meant in combination with the server setting. It's been my experience in the past that if you set the shell to something that's not a shell, you can't connect at all because it tries to open a shell but can't. So the security is enforced on the server side (using Caleb's method) but if you have issues connecting after that, you may need to set the client-side switch.
    – Bill B
    Commented Jun 4, 2011 at 4:44
  • 15
    You create such user with useradd sshtunnel -m -d /home/sshtunnel -s /bin/true.
    – fracz
    Commented Jun 11, 2016 at 16:48
  • 1
    I actually used the shell /usr/sbin/nologin, and this works well too (as long as I use the -N option when issuing the ssh -R command, otherwise it attempts to launch the shell which fails and returns). Any idea if it is maybe "even better" to use this shell, as then really no user login happens? :)
    – Zorglub29
    Commented Mar 6, 2022 at 20:36
70

The following has the advantage that X11 and SSH agent socket forwardings are also disallowed, which might still be allowed in Calebs way. Another advantage is, that if the user is able to change his default shell through any other way, this will still restrict his SSH access to only TCP forwardings.

Put the following into your /etc/ssh/sshd_config:

Match User that-restricted-guy
  AllowTcpForwarding yes
  X11Forwarding no
  AllowAgentForwarding no
  ForceCommand /bin/false

to allow the user that-restricted-guy to forward any TCP connections through your SSH enabled machine (connection to this machine, also to localhost and even connection from this machine to other machines).

If you want it even more restrictive (which is a good idea) you can also do the following:

Match User even-more-restricted-guy
  PermitOpen 127.0.0.1:12345
  X11Forwarding no
  AllowAgentForwarding no
  ForceCommand /bin/false

This will allow the user even-more-restricted-guy to only ever forward connections to 127.0.0.1 TCP port 12345 (as it is visible through your SSH enabled machine).

When the user normally connects he will now be instantly disconnected because the /bin/false command will be triggered which does nothing but instantly exit with a code of 1. If you want to avoid this and keep your forwarding connection open, add the -N flag to the ssh command. This will not try to execute any command but still allows to setup TCP forwardings.

An example of a forward command that should work in the latter setup:

ssh -L 12345:127.0.0.1:12345 -N even-more-restricted-guy@insert-your-machine
Improve this answer
1
  • 2
    What about the no-pty option from ~/.ssh/authorized_keys and the PermitTTY option from /etc/ssh/sshd_config? It is not needed to restrict? I saw the no-pty option mentioned here: blog.tinned-software.net/…
    – baptx
    Commented Mar 4, 2021 at 9:30
10

You can control what people can do in ssh by matching groups assuming your version of ssh is new enough to support it (openssh 5.x+).

Basically, we treat them as if they were sftp users, but allow tcp forwarding and optionally specify the destinations they may forward to. If you give them a home directory but don't create any directories under it, they can't transfer any files because they will not have permission to do so.

Match Group                     nicepeople
    PubkeyAuthentication        yes
    PasswordAuthentication      yes
    PermitEmptyPasswords        no
    GatewayPorts                no
    ChrootDirectory             /opt/dummy_location/%u
    ForceCommand                internal-sftp
    AllowTcpForwarding          yes
        PermitOpen              192.168.0.8:22
        PermitOpen              192.168.0.5:8080
    # Or leave out the PermitOpen to allow forwarding to anywhere.
    HostbasedAuthentication     no
    RhostsRSAAuthentication     no
    AllowAgentForwarding        no
    Banner                      none

You can repeat these Match Group blocks for each group that you wish to provide different behavior or restrictions.

You can further control where this person can go on the network using iptables

/sbin/iptables -I OUTPUT -m owner --gid-owner 500 -j REJECT
/sbin/iptables -I OUTPUT -m owner --gid-owner 500 -m tcp -p tcp -d 192.168.0.0/24 -j ACCEPT

This assumes the group "nicepeople" GID is 500.

Some of the above ssh options are available in the older versions of openssh, but not within the Match Group section. Match Group is very limited in OpenSSH 4.x and earlier.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.