Using sleep command in ssh authorized_key to prevent user's actions

Question

I'm setting up an Ubuntu server to receive ssh connections from clients so I will then be able to connect back to their machine (reverse SSH tunneling). I searched for a way to prohibit any action from the client on the server, and I found different solutions, but none seems as simple as just configuring the authorized_key of a specific client on the server by adding:

command="sleep x seconds"

Am I missing something important that would make that solution not a good one?

Related but not a duplicate because it doesn't directly address the question asked here How to restrict an SSH user to only allow SSH-tunneling? — Chris Davies, Jan 11 '22 at 22:56
Another thing to consider is assigning a "restricted shell" (e.g. "man rbash") for the user used to log in. — U. Windl, Jan 12 '22 at 09:31

Chris Davies · Accepted Answer · 2022-01-12T14:58:02.840

If the restriction is for a number of users I would set up a Match block in /etc/sshd_config, to apply restrictions for that group of users. If the restriction is for a particular ssh key I would consider taking your suggested route and blocking commands in the ~/.ssh/authorized_keys file.

Match block in /etc/sshd_config

Read the documentation for Match, and as usual when changing how a connection subsystem such as ssh works, ensure you have a root login available on the remote system to revert or adjust any changes.

# Add users to the UNIX group "restrictedusers"
Match Group restrictedusers
        AllowTCPForwarding yes
        X11Forwarding no
        AllowAgentForwarding no
        ForceCommand echo No logins permitted

Keys in ~/.ssh/authorized_keys

Not only force a command but also disable X11Forwarding, agent forwarding, etc. by prefixing access control options to an existing or new key entry. Ensure you have a login available on the remote system to revert or adjust any changes to the file.

restrict,port-forwarding,command="echo No logins permitted" ssh-ed25519 ed25519-public-key-code-goes-here...

In both cases, once this is set up the caller needs to set up the reverse callback for you. For example, this one connects the remoteHost's local port 50123/tcp to the caller's local port 123/tcp

ssh -fN -R 50123:localhost:123 remoteHost

Best of all, this can all be prepared in the caller's ~/.ssh/config for remoteHost, so that they would then just need ssh remoteHost to start the callback:

Host remoteHost
    ForkAfterAuthentication yes
    SessionType none
    # listenPort targetHost:targetPort
    RemoteForward 50123 localhost:123

Thanks for the answer! I modified the authorized_keys file based on the example you gave, but when the client connects, the connexion closes immediately (so I'm not able to use the reverse ssh tunnel). That's why I was using "sleep" as a command, as it allows to keep a persisent connexion. If it's not a problem to use "sleep" as command, I will probably use it in /etc/sshd_config ForceCommand instead of using the authorized_keys file. — Joel Rivest, Jan 12 '22 at 14:28
Ok now I see, I was not using the -N option when the reverse callback was set up. Thanks! — Joel Rivest, Jan 12 '22 at 14:56

Using sleep command in ssh authorized_key to prevent user's actions

1 Answers1