ssh tunneling only access

Yes, just use /bin/false as shell and instruct the user to start the tunneling SSH process without executing any remote command (i.e. the -N flag for OpenSSH):

ssh -N -L 1234:target-host:5678 ssh-host

In the user's .ssh/authorized_keys file, put something like the following:

permitopen="192.168.1.10:3306",permitopen="10.0.0.16:80",no-pty ssh-rsa AAAAB3N...

So, basically, you the controls would be in front of the user's ssh public key separated by a space. In the example, connections using the specific public key will be allowed to do SSH port forwarding only to 192.168.1.10's MySQL server and 10.0.0.16's web server, and will not be assigned a shell (no-pty). You're specifically asking about the "no-pty" option, but the others may also be useful if the user is only supposed to tunnel to specific servers.

Look at the man page for sshd for more options for the authorized_keys file.

Note that the user's experience may look a little odd: when they ssh in, it will look like the session is hanging (as they are not getting a pty). That's OK. If the user has specified port forwarding with, for example, "-L3306:192.168.1.10:3306", the port forwarding will still be in effect.

In any case, give it a try.


Give the user a shell that only allows them to log out such as /bin/press_to_exit.sh

#!/bin/bash
read -n 1 -p "Press any key to exit" key

This way he can stay logged in as long as he wants, with tunnels active, but not run any commands. Ctrl-c closes the connection.


Assign a shell that doesn't let the user log in.

e.g.

#!/bin/sh
echo "No interactive login available."
sleep 60
exit 0

would prevent them from getting a shell prompt, and give them a time-out of 60 seconds - if there's no connection active for 60 seconds then it will exit and thereby disconnect them completely (increase the number according to requirements).

They can't execute a remote command, either, because that shell won't let them.