# SSH still provides a shell although no-pty is set

## c00l.wave

I'm trying to setup monitoring with Munin, largely following the guide on wiki.gentoo.org. Munin needs to setup SSH tunnels on demand so I wanted to restrict them as good as possible. Unfortunately, if I set ~munin-async/.ssh/authorized_keys as follows, I am still able to get a shell. Usually that should not happen since I set no-pty? (used that before and it always worked)

```
# cat /var/spool/munin-async/.ssh/authorized_keys

permitopen="localhost:4949",no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,from="10.2.0.16" ecdsa-sha2-nistp256 KEYHERE
```

```
$ ssh 10.2.0.1 -l munin-async

PTY allocation request failed on channel 0

Last login: Sun Apr  7 14:30:01 CEST 2013 from monitoring on ssh

cd /

ls

bin

boot

dev

etc

home

lib

lib32

lib64

lost+found

media

mnt

opt

proc

root

run

sbin

sys

tmp

usr

var

Connection to 10.2.0.1 closed.
```

```
# grep munin-async /etc/passwd

munin-async:x:104:104:added by portage for munin:/var/spool/munin-async:/bin/sh
```

OpenSSH is at 5.9_p1-r4.

----------

## Hu

Shells work without a pty, though they often work much better with one than without one.  If you want to disallow running arbitrary programs, force a command when that key is used.

----------

## c00l.wave

Ouch... Thanks for pointing that out.  :Embarassed: 

I'm pretty sure the OpenSSH client (or server) did not let me continue to a shell if it couldn't allocate a PTY when I tested it first a few years back or I did something else different back then.

BTW, it's hard to believe so many other people rely on no-pty alone but if you search for it there is an incredible amount of posts/blogs/articles about no-pty being sufficient.

----------

