Creating a Restricted SSH User for SSH Tunneling Only

Sometimes it is necessary to use SSH tunneling to access a web service on a specific port that is blocked by a firewall or router.

Of course, you could create just a new SSH user on your Linux server, but this user will be able to execute all server commands although they would not be necessary for SSH tunneling. In fact the only thing the user needs is to login and logout again – that’s enough! Therefore we don’t want the user to be able to do anything else for security reasons.

I will show in the following how you can create such a restricted SSH user on a Linux server (tested on Debian Linux) that can be used for SSH tunneling only.

First of all we create a new user (I just call him sshtunnel now) with rbash as shell:

useradd sshtunnel -m -d /home/sshtunnel -s /bin/rbash
passwd sshtunnel

Using rbash instead of bash will restrict the user already as he especially cannot change the directory and cannot set any environment variables. But the user can still execute most of the bash commands.

To prevent him from this, we use a small trick: we set the environment variable PATH for this user to nothing. This way the bash won’t find the commands to execute anymore. That’s easily done by adding this line to the end of the file .profile in the home directory of the user (in our example it is /home/sshtunnel/):

PATH=""

As we want to make sure the user is not able to change this again himself, we remove the write permissions from the user configuration files and from the home directory of the user itself:

chmod 555 /home/sshtunnel/
cd /home/sshtunnel/
chmod 444 .bash_logout .bashrc .profile

Now we’re done: you can setup your SSH tunnel for example with PuTTY just as normal and login with this newly created SSH user. You won’t be able to do anything else than login and logout anymore, but SSH tunneling will work fine!

Did you also need such a restricted SSH user already?

This post is also available in Deutsch.

8 thoughts on “Creating a Restricted SSH User for SSH Tunneling Only

    • Hello,

      you need to be a little bit more precise in your question:
      do you want to block a SSH user from using this SSH server as tunneling server or do you want to block other people to use your service from a tunneling server as proxy?

      Best regards
      Andreas

        • Hello,

          if you don’t want other users to use your service from a proxy (e. g. by SSH tunneling), I see no chance for that, because your service does not know if the client is a “normal” request or a request being tunneled through a SSH proxy.

          Best regards
          Andreas

          • I’ve just created a user account on my local system with /bin/rbash as the shell. The profile contains two lines

            test -d "$HOME/bin" && PATH="$HOME/bin"
            echo "Restricted shell... you're welcome"

            On my second try I was able to hit Ctrl/C at the right moment to stop the PATH being reset.

            This is definitely a security hole, and arguably a bug. If you trust your users not to exploit it, then you might as well not bother with rbash in the first place.

  1. Last time I tried to use rbash as a login shell, I could not find any way of preventing the user from hitting Ctrl/C and interrupting the execution of .bash_profile or .profile. (This is at odds with the original sh/rsh implementation, which notes that Ctrl/C is disabled while the .profile is executed.) So you cannot guarantee that any configuration in either of these files intended to restrict the user further will actually be executed.

    Pathologically, even a trap "" 3 at the top of the file could be interrupted.

    The only solution I found for this was to use a restricted bourne shell (rsh) and have trap "" 3; exec bash within the .profile and to remember to put all the subsequent bash code inside .bashrc

    • Hello Chris,

      first thanks for your comment.

      Maybe you’re right that there is a theoretical chance for a user to cancel the execution of the .profile script before setting path=”", but you will agree that there is no way that a “real” user is able to hit Ctrl+C fast enough that this simple line is not executed. And this tip here is intended to be for “real” users that has the right to login for SSH tunneling, but should not be able to do any other things on the server. For this purpose this solution should be definitely enough.

      Best regards
      Andreas

Leave a Reply to KY Cancel reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>