I have created a linux user and changed his default shell to /bin/true. I want to allow this user to set up a port forwarding via SSH, but not execute anything on the server.
How can I do that?
Asked
Active
Viewed 244 times
1
Marcus Müller
- 28,836
zxsimba
- 13
1 Answers
1
By setting the user's shell to /bin/true, you already prevented the user from executing anything on the server. The problem is, if the user connects "normally" to the server via ssh, after entering the password he/she is immediately disconnected, so it's not possible to use the port forwarding as well.
Your user should use -N parameter to ssh, like this:
ssh -N -L 8000:localhost:80 youruser@yourserver
This creates a port forwarding from the port 8000 of the machine the user is connecting from to the port 80 on server. The -N parameter tells ssh to only establish the connection, but to not execute the user's default shell (/bin/true in your case). So the user stays connected and the connection will "hang" until interrupted by Ctrl-C. During this time the ports are forwarded.
You can also make ssh to go to background before "hanging" (so the terminal is not blocked) by adding -f before -N. In this case, to quit the port forwarding later, you have to find the ssh process in the process list and kill it.
raj
- 1,123
- 4
- 11
-
2That does not prevent the user from executing anything. That's just a way for the user themselves to not execute anything if they choose so. That's not the point of the question. – Fritz Sep 28 '23 at 13:10
-
@Fritz If the shell is
/bin/true(as stated in the question), they can't execute anything anyway. The problem is, however, that if they connect withssh"normally", without-N, they are immediately disconnected, so they can't use port forwarding (which OP wants). The-Nis the way for them to stay connected, so they can actually use port forwarding. – raj Sep 28 '23 at 13:25 -
1"By setting the user's shell to /bin/true, you already prevented the user from executing anything on the server" - probably true, yes. However, it's still possible to wander around the file system using
sftp, reading (and potentially writing) files. Other service applications may also accept the username/password credentials as sufficient authentication without referencing the shell defined in/etc/passwd– Chris Davies Sep 28 '23 at 14:37 -
@roaima If
/bin/trueis not in/etc/shells, then using sftp is not possible. Just tested it on my server. May be configuration dependent, but with standard configuration it works like that. – raj Sep 28 '23 at 15:55 -
@raj I also tested. It's not in
/etc/shellshere either, but withinternal-sftpset forsshdI can definitely log in – Chris Davies Sep 28 '23 at 16:40 -
@roaima forcing
internal-sftpis not a default setting, someone must have knowingly set that. – raj Sep 29 '23 at 11:46 -
@raj oh absolutely. But seeing as the new default is no sftp subsystem at all it seems reasonable enough to assume someone might have set it to internal-server – Chris Davies Sep 29 '23 at 12:27
restrict sshin the search box here. What have you found, which documentation have you read, what have you tried so far? – Marcus Müller Sep 28 '23 at 12:06/bin/true– you want to restrict a user to only open port forwardings. I'm fixing your question to reflect that. – Marcus Müller Sep 28 '23 at 12:17