I'm running a Debian Linux. I'd like to have a user account that is able to connect via SSH for TCP-forwarding only, without a command prompt.
e.g the following would work (from a remote computer):
ssh -D1234 user@myhost
but no command prompt would appear.
Using a shell like /bin/false or /sbin/nologin is too restrictive as it doesn't even allow the user to log in. A shell that only allows the "exit" or Ctrl+D commands would do the job.
I know that something similar is possible to allow only SFTP, but I can't find the equivalent for TCP forwarding.
Thanks
Best Answer
It sounds like you're looking for the
-N
option:Like so:
Also of some interest might be the
-f
option:If you want to restrict what inbound connections can:
authorized_keys
file (assuming you're using ssh keys)What command/shell you use depends on what you want to allow. For example:
/bin/cat
will hold the connection open but do absolutely nothingrssh
will allow you to customize what actions are availablebash
can be run in restricted mode (rbash
) which only allows you to run commands in your configuredPATH
. It's not foolproof, but it's worth more than nothing.