Home / server / Questions / 132051
Accepted
thelsdj
Asked: 2010-04-14 10:05:36 +0800 CST

Configure SSH to allow port forwarding but no commands for particular key?

  • 772

So I've added a public key to authorized_keys. How can I limit it so that it may forward ports but it may not have a shell?

security ssh

3 Answers

  1. Best Answer

    You have to add no-pty,command="/bin/false" keyword before your key so it will look like this:

    no-pty,command="/bin/false" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABBACzbcwCZNaN3HhHmpnaVrfZlNJ0HhPnOqEj
k2llms1OOPnEXetIlZuJw0UXbyMbhQbBl/E2wxXvXvF+jyLRR5yN6kBydM4LhjC0ej0PcH839vXd
uwJpDFjPw3s7r0VOhU1WRyk6Da6rX6shzabhQioIm3MHCjNOdywPb0k1cTj4yOxoOCOqGjmXK0
xxzTd+ZjTJqQGWzZ+8L8cVtKmU8kspYlCdhGWSv0Den36OsScnWTBn8A3X3lVJB5NkEm
BM1yKX4F6BhhD317VensEUu031PtFULeSF97IxDPmK36OFz9TPSf4d8Hp3BqtysqUlbWfEhYdHXj
+1Mn4xXZKiZhBh1DX youruser@yourhome

    (This is all in a single line, I added the line breaks for readability).

    • 10

  2. I would look at using scponly, I suspect it can be used for port forwarding rather than scp/sftp-only access. It is intended to restrict the user from logging in or executing commands via ssh.

    The other factor you may need to, or want to, use sshd in a chroot'ed environment, here are some instructions on setting up sftp using chroot. You should be able to adapt them fairly easily.

    I hope that helps you find your solution.

    • 1

  3. man sshd

    Section AUTHORIZED_KEYS FILE FORMAT. You can restrict what users can port forward to simply by adding the ports and hosts you want to allow, like

    permitopen="192.0.2.1:80"

    Also you can restrict where do the user connect from, which commands can execute, etc.

    • 1