8

How can an SSH command be setup to allow port forwarding but not execute commands.

I know that the ssh login can use -N to stop commands executing, but can the ssh config file be setup to disallow it?

Restricting the type of shell and the path in Linux is on option, but can it be done in the SSH configuration itself?

vfclists
  • 1,632
  • 5
  • 22
  • 37

2 Answers2

7

Look at man sshd and search for AUTHORIZED_KEYS FILE FORMAT

What you want to do is create a public/private key pair, and put the public key in the ~/.ssh/authorized_keys file as normal. Then edit the authorized_keys file to add the string:

command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80"

It will end up looking kind of like:

command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80" ssh-dss AAAAC3...51R==

You would want to change the argument to 'permitopen' and possibly change some of the other settings, but I think that's basically it.

Slartibartfast
  • 3,295
  • 18
  • 16
  • I guess the permitopen sets the local ports that can be forwarded from the users end. Does it affect remote port forwarding? Does it apply only to that key? – vfclists Jun 19 '10 at 11:04
  • The authorized_keys file is on the remote (ssh server) end. It indicates host+port combinations that clients with the authorized key are allowed to connect to via the server. The port that you use on the local (ssh client) side is irrelevant (and probably not communicated to the server), so it is omitted. Yes, it applies only to that key (which is why it is listed on the same line as the public key corresponding to the key that is permitted) – Slartibartfast Jun 21 '10 at 03:01
  • 1
    There's a typo here: `no-usr-rc` should be `no-user-rc`. – xebeche Oct 28 '12 at 18:21
  • Thank you for the correction, xebeche, I've edited the post. – Slartibartfast Feb 13 '13 at 04:48
  • 2
    There's still an instance of no-usr-rc in the answer -- not sure if you missed one or if the edit hasn't been processed? – Dave Gregory Feb 17 '16 at 11:58
  • 1
    This is why I hate the 6-characters-limit rule. I spent half an hour trying to figure out what's wrong, when I copied the one with the typo, only to find it's because no one except the owner can correct this answer. – zypA13510 Jun 26 '18 at 07:53
  • Many apologies; I corrected the example, not the instructions. If it isn't fixed, please feel free to comment again. – Slartibartfast Jul 01 '18 at 01:24
2

this article should set you in the right path

http://www.semicomplete.com/articles/ssh-security/

eric
  • 126
  • 4