# SSH Tunnelling Only Server

## humbletech99

I am going to set up a server for the purpose of SSH tunnelling and want some advice on security. I'm intending to have a dedicated installation for this purpose and want to both secure and restrict it completely to the point that it will do nothing else, not even give users a working shell, just a tunnel.

I will of course chroot it, and was looking at restricted shells on top of that, so no binaries in the chroot and a restricted shell environment as well. Of course, I've like it even more if they just had to ssh shell entirely.

Does anyone have any suggestions for an scponly style shell that doesn't give a shell prompt or any other ideas on how to best go about this?

----------

## Voltago

Perhaps you could just add some users with /bin/false as shell on your server, and allow only these to login via ssh?

----------

## humbletech99

If I did that then how could I possibly have a tunnel up, the connection would close immediately...

----------

## Voltago

 *humbletech99 wrote:*   

> If I did that then how could I possibly have a tunnel up, the connection would close immediately...

 

```
ssh -N ...
```

----------

## think4urs11

net-proxy/sshproxy might be what you want

----------

## humbletech99

 *Voltago wrote:*   

>  *humbletech99 wrote:*   If I did that then how could I possibly have a tunnel up, the connection would close immediately... 
> 
> ```
> ssh -N ...
> ```
> ...

 

Yes I use that myself, thanks for the pointer, but I can't expect users to use that. I don't want to have them remember to and more importantly I don't want them to even have a choice to get a shell.

Think4UrS11: thanks for the suggestion of sshproxy, I am looking at it although it looks a bit young, it might do what I want. Looks llike a bit of work to set it up though.

I was thinking of just changing the login shell to /bin/cat which will act like a null shell, no commands and will just hand until a ctrl-d or exit... what do you think? I can't see a real problem with doing this at the moment...

----------

## Voltago

 *humbletech99 wrote:*   

> I don't want them to even have a choice to get a shell.

 

They won't have that choice if you set their shell in your server's /etc/group to /bin/false.

----------

## humbletech99

 *Voltago wrote:*   

>  *humbletech99 wrote:*   I don't want them to even have a choice to get a shell. 
> 
> They won't have that choice if you set their shell in your server's /etc/group to /bin/false.

 

Are you trying to be funny or is that supposed to be serious advice?

Do you even have a unix system? If so then I suggest you look at that file.

Now I'm willing to believe that was just a slip of the keyboard, but further more if you were to /bin/false a login then any ssh connection would not even stay up long enough to pass any data, which would therefore stop it from being a tunelling server...

----------

## Voltago

Ok, perhaps I should elaborate what I'm trying to say.

1. Set user 'foo''s shell on 'server' to /bin/false

2. Call ssh with

```
ssh foo@server
```

and you cannot log in.

3. Call ssh via

```
ssh -NDf 1080 foo@server
```

and you don't even try to log in, but only connect to the ssh server and open a SOCKS proxy connection. Next time perhaps try to be less arrogant when people try to help you.

----------

## humbletech99

I'm sorry, I wasn't trying to be arrogant, but your advice was not good. A person who didn't know a lot about unix would get quite confused and stuck with that I think.

Firstly, you sent me to the wrong place to change the shell. Secondly, that would basically block logins which most people use, as not everyone uses those switches, although I do, but even then not all the time.

Thirdly, this bit is my fault for not stating the clients more clearly, but not all clients will be the ssh command line and therefore you cannot assume that all clients will have the -N switch. For example, one person who will need this is purely non-technical windows user using putty. Therefore I'd like to keep it as simple as possible.

Although in retrospect, I can actually do as you have suggested since putty does support this option.

What do you think about the cat idea though? It makes the user's life simpler... no -N required... and I can't yet find a real security problem with doing that....

Fourthly, thanks very much for trying to help me. Sorry for the odd reaction, I had another user tell me complete garbage on another forum previously, challenged his bad advice only to have 2 other people join the thread telling me he'd also given extremely bad advice to them, so it looked like this was also the case. Apologies again. Here is that thread if you want a laugh http://www.softwaretipsandtricks.com/forum/windows-xp/34639-windows-4gb-limit.html

----------

