Re: secure port forwarding without shell access

From: Andrew Schulman (andrex_at_deadspam.com)
Date: 09/30/04 

Date: Thu, 30 Sep 2004 09:13:51 -0400

> > > Those users that are "restricted" have been usermod -s "/bin/rbash"
> > > username
> > > and /bin/rbash mode is 755 owned by root and contains :
> > >
> > >
> > > #!/bin/bash
> > > /bin/bash -r >/dev/null 2>&1
> > > tail -f /dev/null
> >
> > Why not just give them a shell of /bin/false? Then they can't have
> > shell access at all, but they can still forward ports.
>
> I tried /sbin/nologin and /bin/false to no avail.
> I am using putty to authenticate and both of these drop connection immediately.
> I will toy with the settings to see if I can make it work.
> Thanks.

Ah, okay. I'm using ssh -N for my tunneling, so ssh doesn't try to
establish a shell session. PuTTY doesn't yet have a pure tunneling mode
with no shell session, but there was a thread on this NG, I believe,
within the last week saying that they're going to implement this, or
maybe they already have in the nightly snapshots.

Anyway, although /bin/false is a simpler shell, I don't see any obvious
problem with your /bin/rbash.

> sshd is started with : sshd --command=permitopen=localhost:3128

Does this work? If so, it's not documented in the man page. permitopen
is an option in the authorized_keys file.

Good luck,
Andrew. 

-- 
To reply by email, change "deadspam.com" to "alumni.utexas.net"

Relevant Pages