Hi,

this should work and you don't even have to set the shell to /sbin/nologin (depends on whether you want the users to be able to login to the system by other means or not), as the command directive in authorized_keys takes precedence.


The tricky part is escaping the value correctly (there is shell escaping, IPA CSV quote escaping and authorized_keys quote escaping in effect):

$ ipa user-mod user --sshpubkey='"command=""/usr/bin/perl -e '\''$|=1; print \""Tunnel created, use your webbrowser to connect to the tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep 60}'\''"",permitopen=""localhost:8834"",no-agent-forwarding,no-X11-forwarding ssh-rsa ..."'

Honza

On 17.12.2012 03:23, Peter Brown wrote:
Hi Albert,

Have you tried putting that command in the public key for the user in
freeipa and setting the user shell to /sbin/nologin or the equivalent?


On 15 December 2012 02:09, Albert Adams <bite...@gmail.com
<mailto:bite...@gmail.com>> wrote:

    In our environment we have several systems where users require
    access to the system to setup an SSH tunnel but should not have a
    shell on the system.  Prior to rolling out IPA we accomplished this
    with the authorized_keys file as follows:

    command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
    webbrowser to connect to the tool\n\";while(1) { print
    localtime(time) . \"\n\"; sleep
    60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding

    Is there a way to accomplish this in IPA?

    Regards,
    Albert

    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Jan Cholasta

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to