SSH Tunnel for restricted user w/ PuTTY and no shell

so I have been using SSH tunnels to restrict access to internal sites or portions of public sites for a while now, and since only admins had SSH access at all I've been using standard non-root/sudo user accounts. Well now that I am expanding and trying to get students at my local universities involved to expand their projects, they are going to need to start accessing some of these internal pages.

The Proxy server is a CentOS 6.4 box, with SELinux enabled, and will not be running any other services besides the proxy. I am looking to eventually setup a full VPN, but in this case it's simply to allow access to certain machines with a IP whitelist, rather than full internal network access.

I have looked at all the methods for setting up a SOCKS proxy with user accounts having things like /bin/false etc, but either

A) they assume only a single port or host is being forwarded (whereas in this case I have a set of VPS instances that will change on demand in networking configs), or

B) that a regular SSH client is in use rather than something like PuTTY (as much as I would love to force all the students to use a VM or install linux directly, that is not quite an option as the school uses PuTTY on their engineering hardware for student use).

Here is what I have found so far: If a regular ssh client is used, I can set the user shell to /bin/false and the user can specify the -N command when setting up the SOCKS proxy, but unfortunately for PuTTY users this doesn't seem to work (at least I couldn't get it working).

When PuTTY opens a tunnel through the default tunneling options, it has to open a shell which immediately disconnects upon login since the user has a /bin/false shell.. If I specify the "no shell or command" argument in the SSH settings, the proxy options don't seem to get setup. If I try to setup the proxy in the SSH options for remote commands, it still doesn't run unless I allow a shell or other commands in the options.

Related questions I found but do not quite fit:

Create SOCKS tunnels with PuTTY and nologin (this one would technically work, but the shell is simply a sleep command that runs for a very long time, and I'm worried about it being escaped. I'd rather have a true noshell then a shell that simply hangs for security reasons)

https://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding (This doesn't work because it would require that the user use a true installation of ssh, and programs like PuTTY will not work). I also need them to be able to access webpages, though I assume I could simply specify PermitTunnel for the account rather than only allow a specific port.

"noshell" for ssh proxy users (This one does not work for PuTTY per the reasons I stated above regarding the need for PuTTY to have commands enabled to setup the SOCKS Proxy)

Any suggestions? I could easily be missing something, but I'm not sure.

-Jim


Just saw that PuTTY has the following option and it may be what you are looking for : Connection->SSH->Don't start a shell or command

If enabled, the connection is made, no more display on the console, but it is kept alive and the tunnel works fine. Hope it helps.


I found a solution (under a post here with no use of tags like nologin or noshell but rather a dead simple trick for windows users, but I made it work for me without a shell).

I created a batch script using the answer from this post that can run a default installation of PuTTY and setup a tunnel without executing commands that would cause the shell to disconnect:

Dead simple SSH tunnel for my Windows users

"C:\Program Files (x86)\PuTTY\plink.exe" -v -N -D localhost:8080 proxy@remote_host

Since this makes Windows users with PuTTY able to now access the tunnel, I can stick with using the account shell as /bin/false

Posted here for anyone who might be in a similar situation and to resolve the thread. If there are any other solutions, I'd love to hear them!

Now I just have to try to make this work with my SSH push-based two-factor system I'm implementing on all my systems, but that's something to work on after everything else is working.

-Jim