# SSH User for SOCKS Proxy Only

## Caligatio

Hello All,

I have a friend of mine that asked if I could get him setup on my Gentoo with a SOCKS5 proxy account.  While I do trust him not to do anything overtly bad, I figured this may be a good opportunity to learn a bin more about account/SSH security.

In the ideal case, I want to grant his account only the ability to open a tunnel for SOCKS5 connections - no shell and no tunnels to my internal machines.  It appears that setting his shell to /bin/false will accomplish denying him the shell; however, I don't even know if it's possible to dictate what type of tunnels are created.  I realize that with a dynamic tunnel a user could get access to my internal machines but it would be a bit more convoluted. 

I'd appreciate any help!

----------

