Can I disable interactive shell access while tunneling web traffic through SSH?
After four years this answer deserved an update. While originally I used
authorized_keys myself and would probably use it still in some select cases, you can also use the central
sshd_config server configuration file.
You can designate (for your particular use case) a group, such as
Match individual users. In
sshd_config. This is done after the global settings and revokes, repeats or refines some of the settings given in the global settings.
Note: some of the syntax/directives used in
sshd_config(5) are documented in the
man page for
ssh_config(5). In particular make sure to read the PATTERNS section of
For a group this means your
Match block would begin like this:
Match group proxy-only
Match the following criteria:
Address. To match several criteria simply comma-separate the criteria-pattern pairs (
group proxy-only above).
Inside such a block, which is traditionally indented accordingly for brevity (but needn't to), you can then declare the settings you want to apply for the user group without having to edit every single
authorized_keys file for members of that group.
no-pty setting from
authorized_keys would be mirrored by a
PermitTTY no setting and
command="/sbin/nologin" would become
Additionally you can also set more settings to satisfy an admin's paranoia, such as
chroot-ing the user into his home folder and would end up with something like this:
Match group proxy-only PermitTTY no ForceCommand /sbin/nologin ChrootDirectory %h # Optionally enable these by un-commenting the needed line # AllowTcpForwarding no # GatewayPorts yes # KbdInteractiveAuthentication no # PasswordAuthentication no # PubkeyAuthentication yes # PermitRootLogin no
(check yourself whether you need or want the commented out lines and uncomment as needed)
%h is a token that is substituted by the user's home directory (
%u would yield the user name and
%% a percent sign). I've found
ChrootDirectory particularly useful to confine my
Match group sftp-only X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp PasswordAuthentication no
Please mind that only certain directives can be used in a
Match block. Consult the
sshd_config(5) for details (search for
NB: the part below this remark was my original answer. Meanwhile - but it also depends on the features of your exact
sshd version - I would go for the method described above in most cases.
Yes you can, as fine-grained as you can assign public keys. In addition to nologin as recommended by ajdecon, I would suggest setting the following in front of the key entry in
no-pty ssh-rsa ...
The no pty tells the server-side that no pseudo-terminal should be allocated for that key.
You can also force the execution of something like nologin for a particular key by prepending this:
command="/sbin/nologin",no-pty ssh-rsa ...
For any tunnelling-only user, change their login shell to /sbin/nologin. That way your user will be unable to access a shell on the server, but will still be able to run set up ssh tunnels from their client.