Yes, just use /bin/false as shell and instruct the user to start the tunneling SSH process without executing any remote command (i.e. the -N flag for OpenSSH):
So, basically, you the controls would be in front of the user's ssh public key separated by a space. In the example, connections using the specific public key will be allowed to do SSH port forwarding only to 192.168.1.10's MySQL server and 10.0.0.16's web server, and will not be assigned a shell (no-pty). You're specifically asking about the "no-pty" option, but the others may also be useful if the user is only supposed to tunnel to specific servers.
Note that the user's experience may look a little odd: when they ssh in, it will look like the session is hanging (as they are not getting a pty). That's OK. If the user has specified port forwarding with, for example, "-L3306:192.168.1.10:3306", the port forwarding will still be in effect.
#!/bin/sh
echo "No interactive login available."
sleep 60
exit 0
would prevent them from getting a shell prompt, and give them a time-out of 60 seconds - if there's no connection active for 60 seconds then it will exit and thereby disconnect them completely (increase the number according to requirements).
They can't execute a remote command, either, because that shell won't let them.
##Create a new user
sudo useradd -m [user]
##Edit /etc/ssh/sshd_config
Match User [user]
#AllowTcpForwarding yes
#X11Forwarding no
#PermitTunnel no
GatewayPorts yes ##Enable listening on 0.0.0.0
AllowAgentForwarding no
PermitOpen localhost:2888 ##specify port
ForceCommand echo 'This account can only be used for Tunneling'
Yes, just use
/bin/falseas shell and instruct the user to start the tunneling SSH process without executing any remote command (i.e. the-Nflag for OpenSSH):In the user's .ssh/authorized_keys file, put something like the following:
So, basically, you the controls would be in front of the user's ssh public key separated by a space. In the example, connections using the specific public key will be allowed to do SSH port forwarding only to 192.168.1.10's MySQL server and 10.0.0.16's web server, and will not be assigned a shell (no-pty). You're specifically asking about the "no-pty" option, but the others may also be useful if the user is only supposed to tunnel to specific servers.
Look at the man page for sshd for more options for the authorized_keys file.
Note that the user's experience may look a little odd: when they ssh in, it will look like the session is hanging (as they are not getting a pty). That's OK. If the user has specified port forwarding with, for example, "-L3306:192.168.1.10:3306", the port forwarding will still be in effect.
In any case, give it a try.
Give the user a shell that only allows them to log out such as
/bin/press_to_exit.shThis way he can stay logged in as long as he wants, with tunnels active, but not run any commands.
Ctrl-ccloses the connection.Assign a shell that doesn't let the user log in.
e.g.
would prevent them from getting a shell prompt, and give them a time-out of 60 seconds - if there's no connection active for 60 seconds then it will exit and thereby disconnect them completely (increase the number according to requirements).
They can't execute a remote command, either, because that shell won't let them.
My solution is to provide the user who only may be tunneling, without an interactive shell, to set that shell in /etc/passwd to /usr/bin/tunnel_shell.
Just create the executable file /usr/bin/tunnel_shell with an infinite loop.
Additionally make use of the
AllowGroupsandMatch Groupoption.Fully explained here: http://blog.flowl.info/2011/ssh-tunnel-group-only-and-no-shell-please/