Of course, you could create just a new SSH user on your Linux server, but this user will be able to execute all server commands although they would not be necessary for SSH tunneling. In fact the only thing the user needs is to login and logout again – that’s enough! Therefore we don’t want the user to be able to do anything else for security reasons.

I will show in the following how you can create such a restricted SSH user on a Linux server (tested on Debian Linux) that can be used for SSH tunneling only.

First of all we create a new user (I just call him sshtunnel now) with rbash as shell:

useradd sshtunnel -m -d /home/sshtunnel -s /bin/rbash
passwd sshtunnel

Using rbash instead of bash will restrict the user already as he especially cannot change the directory and cannot set any environment variables. But the user can still execute most of the bash commands.

To prevent him from this, we use a small trick: we set the environment variable PATH for this user to nothing. This way the bash won’t find the commands to execute anymore. That’s easily done by adding this line to the end of the file .profile in the home directory of the user (in our example it is /home/sshtunnel/):

PATH=""

As we want to make sure the user is not able to change this again himself, we remove the write permissions from the user configuration files and from the home directory of the user itself:

chmod 555 /home/sshtunnel/
cd /home/sshtunnel/
chmod 444 .bash_logout .bashrc .profile

Now we’re done: you can setup your SSH tunnel for example with PuTTY just as normal and login with this newly created SSH user. You won’t be able to do anything else than login and logout anymore, but SSH tunneling will work fine!

Did you also need such a restricted SSH user already?