/bin/false won't work. The port forwarding is only active as long as the
connection is alive. When sshd goes to start the shell, /bin/false in this
case, it returns immediately with a non-zero exit status. sshd will then end
and the connection will close, thus stopping the port forwarding.
Just put this script in the user's ~/.ssh/rc file. Modify to taste. Right now
it logs start and stop and every hour of connection to syslog. Since this is
run BEFORE the user's shell or any command, it stops them from running. This
includes sftp and scp as well as a login shell.
The bad thing is while an attempted login will give the message below, it causes
client connections for scp to give:
protocol error: unexpected <newline>
and for sftp:
Received message too long 1349481076
Without the message all connections just hang with no output, which disallows
connections, but may be confusing for the user. At least an ssh -L/-R whill
give some info on how to stop the forwarding... The errors also let the user
know that it won't work and may ask. Then you will know they are trying
something you don't want them to.
Finally, set the user shell to /bin/false since it never gets that far due to
the rc script. This will stop normal telnet, ftp, etc logins.
Anyway, do what you want with it... and good luck. As an aside you can also use
this file as a way to set user special values for a custom shell, etc.
--Dave
# ~/.ssh/rc script for no access account that we want to allow port
# forwarding from.
PROG=ssh-rc
PERIOD=3600 # one hour
HOURS=0 # How long we have been connected.
trap 'log info rc script ended.' 0
trap 'exit' 1 2 3 15
# Simple function to log a message to syslog. $1 is priority (info,debug)
# and rest of args comprise the message.
log()
{
PRI=$1; shift
logger -i -t $PROG -p auth.$PRI -- $USER: $*
}
# Log start of rc script
log info rc script started.
cat <<EOM
***************************** NOTICE ***********************************
This is an endless shell loop. It's entire purpose is to ONLY allow $USER
to do port forwarding. To end, just kill the ssh client that got you here for
the port forwarding.
If you are try to do ANYTHING else, like login, scp, or sftp, nothing
will happen, so you might as well kill the client. If you are also port
forwarding with one of these, realize the port forwarding is all that will
work.
EOM
# endless loop. You can do anything you want here, such as add code to check
# hours forwarding allowed, etc. This currently just logs a message to syslog
# after every hour it has been running.
while :
do
sleep $PERIOD
HOURS=`expr $HOURS + 1`
log info connected $HOURS hours.
done
exit
##############################################################################
>On Sun, 7 Oct 2001, Hugh Nimmo-Smith wrote:
>
>> One way is to edit the /etc/passwd file so that the shell it tries to
>> use is something like "/bin/false" or "/bin/nothing"
>>
>> eg.
>>
>> sshtunnel:x:12941:12941::/home/sshtunnel:/bin/nothing
>>
>> so that when the user logs in no shell is generated, in the former case,
>> or it does nothing (the thread blocks I believe) in the latter case.
>>
>> I can probably email you the /bin/nothing file as I don't think it's a
>> standard file...
>>
>> I don't know if this prevents scp access however? - let me know if it
>> does...
>>
>
>Yes it does. Since it does /bin/usershell -c scp [..]. And since
>/bin/nothing (which is not standard =) or /bin/false does not support
>-c construct scp would break.
>
>But subsystems (sftp in newer OpenSSH) do not spawn the user's shell
>therefor it could outskirt this. (Never tried it.. When I setup sftp only
>accounts I do things differently).
>
>
>> > The user fwd is on an ssh1 client and can only use password
>> > authentication (I cannot control that user's access method).
>> > I have restricted access to just these two users and enabled
>> > forwarding and that works quite well, but I'm stuck on how to
>> > limit the access for fwd. Do I need to write a custom shell
>> > for that user? I can do that, but I don't know what command to allow.
>>
>> I don't think the custom shell (like /bin/nothing) needs to allow any
>> commands as the forwarding is done independently of the shell...
>>
>> If you want to cron the ssh tunnels then I would recommend using rsa
>> keys with no pass-phrase set.
>>
>
>Port forward is on or off in OpenSSH (IIRC). You can not restrict port
>forward based on userid/groupid. Just by what ports can be forwarded.
>
>Unsure how SSH Corp handles such cases...
>
>- Ben
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
--
David Knight French
Black Mountain Computer Consulting
Voice: (858)573-2959
Email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
