How can ssh allowed to setup remote port forwarding but not execute commands?
How can an SSH command be setup to allow port forwarding but not execute commands.
I know that the ssh login can use -N to stop commands executing, but can the ssh config file be setup to disallow it?
Restricting the type of shell and the path in Linux is on option, but can it be done in the SSH configuration itself?
Solution 1:
Look at man sshd
and search for AUTHORIZED_KEYS FILE FORMAT
What you want to do is create a public/private key pair, and put the public key in the ~/.ssh/authorized_keys
file as normal. Then edit the authorized_keys
file to add the string:
command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80"
It will end up looking kind of like:
command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80" ssh-dss AAAAC3...51R==
You would want to change the argument to 'permitopen' and possibly change some of the other settings, but I think that's basically it.
Solution 2:
this article should set you in the right path
http://www.semicomplete.com/articles/ssh-security/