Ssh – How to ssh allowed to setup remote port forwarding but not execute commands

port-forwardingsshssh-tunnel

How can an SSH command be setup to allow port forwarding but not execute commands.

I know that the ssh login can use -N to stop commands executing, but can the ssh config file be setup to disallow it?

Restricting the type of shell and the path in Linux is on option, but can it be done in the SSH configuration itself?

Best Answer

Look at man sshd and search for AUTHORIZED_KEYS FILE FORMAT

What you want to do is create a public/private key pair, and put the public key in the ~/.ssh/authorized_keys file as normal. Then edit the authorized_keys file to add the string:

command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80"

It will end up looking kind of like:

command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80" ssh-dss AAAAC3...51R==

You would want to change the argument to 'permitopen' and possibly change some of the other settings, but I think that's basically it.

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

As you expected, this happens because SSH won't exit if there are outstanding connections going through the tunnel.

If you exit your browser (and all other programs that are going through the port 9000 tunnel) then SSH should exit.

The ssh man page says:

 The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.

And I don't see any options to change that behavior, so I suspect there's nothing you can do.

Git for Windows – How to Tell Git Where to Find Private RSA Key

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.