Re: SSH Port forwarding
- From: Darren Tucker <dtucker@xxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jan 2007 10:52:14 +1100
On 2007-01-18, Jc <ramschitra@xxxxxxxxx> wrote:
I don't want the user to login into my host instead I want the user to
connect only the specific port. But what happens is, if I execute the
port forwarding command, the user was able to login to my host.
Hoe is can be avided.
If you're using OpenSSH you can set the user's shell to, eg, /bin/true.
(You will probably have to add /bin/true to /etc/shells too). The user
will need to specify -N (or its equivalent in their client) to prevent
the client from requesting a shell. This will work only with the SSHv2
Another alternative is to make the user's shell to be a shell script
that does something like "exec sleep 300". This will work with both
versions of the ssh protocol but will leave a bunch of sleep processes
running for a while.
As far as restricting the users to a specific port, older versions of
OpenSSH could only do that if you were using pubkey authentication.
Newer versions (>=4.4) have a PermitOpen directive for this purpose.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Prev by Date: Re: SSH Through a HTTP proxy.
- Next by Date: SUMMARY: DenyUsers option on OpenSSH 4.4p1 (not working?)
- Previous by thread: Re: SSH Port forwarding
- Next by thread: Random Hang problem after SSH2_MSG_SERVICE_ACCEPT