Linux – Unix Shell/SSH config to allow TCP port forwarding without showing a command prompt

debianlinuxport-forwardingssh

I'm running a Debian Linux. I'd like to have a user account that is able to connect via SSH for TCP-forwarding only, without a command prompt.

e.g the following would work (from a remote computer):

ssh -D1234 user@myhost

but no command prompt would appear.

Using a shell like /bin/false or /sbin/nologin is too restrictive as it doesn't even allow the user to log in. A shell that only allows the "exit" or Ctrl+D commands would do the job.

I know that something similar is possible to allow only SFTP, but I can't find the equivalent for TCP forwarding.

Thanks

Best Answer

It sounds like you're looking for the -N option:

-N      Do not execute a remote command.  This is useful 
        for just forwarding ports (protocol version 2 only).

Like so:

ssh -D 8080 -N foo@bar.com

Also of some interest might be the -f option:

 -f      Requests ssh to go to background just before command execution.  
         This is useful if ssh is going to ask for passwords or passphrases, 
         but the user wants it in the background.  This implies -n. 
         The recommended way to start X11 programs at a remote site is 
         with something like ssh -f host xterm.

If you want to restrict what inbound connections can:

Set up a custom command in your authorized_keys file (assuming you're using ssh keys)
Change your user's shell

What command/shell you use depends on what you want to allow. For example:

/bin/cat will hold the connection open but do absolutely nothing
rssh will allow you to customize what actions are available
A chroot jailed shell will provide similar customizability
bash can be run in restricted mode (rbash) which only allows you to run commands in your configured PATH. It's not foolproof, but it's worth more than nothing.

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

As you expected, this happens because SSH won't exit if there are outstanding connections going through the tunnel.

If you exit your browser (and all other programs that are going through the port 9000 tunnel) then SSH should exit.

The ssh man page says:

 The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.

And I don't see any options to change that behavior, so I suspect there's nothing you can do.

SSH + svnserve -t command, while still allowing shell access

I wanted to comment on this yesterday but backed off waiting for someone more knowledgeable in this particular setup. Working from what you have said you can setup multiple users on the same account by having separate keys each setup to a different command structure. I,e user Bob would have a key command="svnserve -t --tunnel-user=Bob -r /home/ownername/" ssh-rsa A...eQ== laptoplogin@laptop

and Jane would be command="svnserve -t --tunnel-user=Jane -r /home/ownername/" ssh-rsa someother..eQ== laptoplogin@laptop

Now by the same logic you could set up a third shared key between you that just executes bash, or share the account password to login without keyless ssh and get access to the shell.

That being said, on an aside, you may just want to take a look at Mercurial or Git, both of which make centrally hosted development on a repository dead-simple and are far more powerful and flexible than svn.

Best Answer

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

SSH + svnserve -t command, while still allowing shell access

Related Topic