SSH Tunneling – Only Access

linuxsshssh-tunnel

Is it possible to configure ssh (on linux) to allow access for tunneling only? Ie user can setup tunnels but cannot get a shell/access files?

Best Answer

Yes, just use /bin/false as shell and instruct the user to start the tunneling SSH process without executing any remote command (i.e. the -N flag for OpenSSH):

ssh -N -L 1234:target-host:5678 ssh-host

Related Solutions

Linux SSH Tunnel – How to Setup SSH Tunnel to Forward SSH

You are asking it to listen on your local port 22 and forward connections to a remote system's port 8090. You can't do that, because your local port 22 is already taken by your local SSH server.

I think what you are looking for is remote forwarding. Replacing -L 22:localhost:8090 with -R 8090:localhost:22 will tell the remote host to listen on port 8090 and forward requests to your SSH server.

If you are leaving the connection running so you can get in later from a remote site, then you are going to want to make sure the connection doesn't time-out due to inactivity by adding the relevant options (-o TCPKeepAlive=yes or -o ServerAliveInterval=30)

So you'll end up with something like:

ssh -N user@my_server -R 8090:localhost:22 -o ServerAliveInterval=30

Also, if one of the network hops between you and the server is down at any point, the connection will drop despite any KeepAlive options you specify, so you might want to add this command to inittab, or look into the daemontools package or your distro's equivalent , so that it always starts on boot and is restarted when it exits for some reason other then system shutdown (or you could run it from a shell script that loops infinitely, but init or daemontools are cleaner solutions).

SSH + svnserve -t command, while still allowing shell access

I wanted to comment on this yesterday but backed off waiting for someone more knowledgeable in this particular setup. Working from what you have said you can setup multiple users on the same account by having separate keys each setup to a different command structure. I,e user Bob would have a key command="svnserve -t --tunnel-user=Bob -r /home/ownername/" ssh-rsa A...eQ== laptoplogin@laptop

and Jane would be command="svnserve -t --tunnel-user=Jane -r /home/ownername/" ssh-rsa someother..eQ== laptoplogin@laptop

Now by the same logic you could set up a third shared key between you that just executes bash, or share the account password to login without keyless ssh and get access to the shell.

That being said, on an aside, you may just want to take a look at Mercurial or Git, both of which make centrally hosted development on a repository dead-simple and are far more powerful and flexible than svn.

Best Answer

Related Solutions

Linux SSH Tunnel – How to Setup SSH Tunnel to Forward SSH

SSH + svnserve -t command, while still allowing shell access

Related Topic