How to prevent users from logging in via ssh manually? The 2019 Stack Overflow Developer...

Identify boardgame from Big movie

slides for 30min~1hr skype tenure track application interview

Can you compress metal and what would be the consequences?

Looking for Correct Greek Translation for Heraclitus

Apparent duplicates between Haynes service instructions and MOT

Pokemon Turn Based battle (Python)

Can one be advised by a professor who is very far away?

Feature engineering suggestion required

A poker game description that does not feel gimmicky

What is the accessibility of a package's `Private` context variables?

Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?

Why didn't the Event Horizon Telescope team mention Sagittarius A*?

Is this app Icon Browser Safe/Legit?

Deal with toxic manager when you can't quit

Why was M87 targetted for the Event Horizon Telescope instead of Sagittarius A*?

How technical should a Scrum Master be to effectively remove impediments?

How come people say “Would of”?

Button changing it's text & action. Good or terrible?

Why do we hear so much about the Trump administration deciding to impose and then remove tariffs?

Right tool to dig six foot holes?

Does the shape of a die affect the probability of a number being rolled?

Which Sci-Fi work first showed weapon of galactic-scale mass destruction?

Did 3000BC Egyptians use meteoric iron weapons?

If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20?



How to prevent users from logging in via ssh manually?



The 2019 Stack Overflow Developer Survey Results Are InHow to remove SSH port forwardingHow does SSH tunneling work at low level?Prevent process interruption when SSH connection failsReverse SSH Tunnel from local ssh server to remote ssh client, forwarding traffic to another server on the client network?Run htop over ssh via single commandCygwin command to set user path when logging in sshCan't connect to remote server via sshHow to prevent ssh from interpreting remote command as a host?ssh: not setting $PATH when passing commands via EOL?Connect to port over working ssh tunnel from IntelliJ?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.



Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.










share|improve this question

























  • And what are people doing on the remote server? Shell access? Or running a specific program?

    – Daniel B
    yesterday











  • The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.

    – Sathvik K S
    yesterday


















0















I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.



Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.










share|improve this question

























  • And what are people doing on the remote server? Shell access? Or running a specific program?

    – Daniel B
    yesterday











  • The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.

    – Sathvik K S
    yesterday














0












0








0








I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.



Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.










share|improve this question
















I have a script that connects to a remote server with the key. However I don't want people to log in to the server by typing the ssh command, but the script should work.



Edit : The script initiates a remote port forward. It contains the normal ssh -R command with all required parameter, and also set up a pseudo terminal with -t starting a script in the remote server also passing some variables. The script in remote server checks the variable sent via -t and decides whether to accept the port forward connection or just close the ssh connection.







linux ssh






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday







Sathvik K S

















asked yesterday









Sathvik K SSathvik K S

113




113













  • And what are people doing on the remote server? Shell access? Or running a specific program?

    – Daniel B
    yesterday











  • The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.

    – Sathvik K S
    yesterday



















  • And what are people doing on the remote server? Shell access? Or running a specific program?

    – Daniel B
    yesterday











  • The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.

    – Sathvik K S
    yesterday

















And what are people doing on the remote server? Shell access? Or running a specific program?

– Daniel B
yesterday





And what are people doing on the remote server? Shell access? Or running a specific program?

– Daniel B
yesterday













The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.

– Sathvik K S
yesterday





The script they run is to set up remote port forward. Thats why i dont want them to login to server and execute any sort of commands.

– Sathvik K S
yesterday










3 Answers
3






active

oldest

votes


















1














You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.



If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.



But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.






share|improve this answer































    0














    Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.






    share|improve this answer








    New contributor




    Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















    • I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

      – Sathvik K S
      yesterday



















    0














    If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.



    Like discussed here on Ubuntu Stack Exchange:



    Match Group some-group
    #AllowTcpForwarding yes
    X11Forwarding no
    PermitTunnel no
    GatewayPorts no
    AllowAgentForwarding no
    PermitOpen localhost:62222
    ForceCommand echo 'This account can only be used for port forwarding'


    Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.



    If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.






    share|improve this answer
























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1423238%2fhow-to-prevent-users-from-logging-in-via-ssh-manually%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.



      If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.



      But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.






      share|improve this answer




























        1














        You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.



        If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.



        But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.






        share|improve this answer


























          1












          1








          1







          You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.



          If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.



          But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.






          share|improve this answer













          You can perhaps replace the script by a binary that decrypts a key on the fly. That would make it harder (but not impossible) to capture the key for other purposes.



          If there is only one thing to run on the server, you can try to make that a script that is defined as their login shell.



          But IMHO it is safer to write a small web server that runs the actions on the server, with the local script doing curl calls to it.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          xenoidxenoid

          4,0223719




          4,0223719

























              0














              Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.






              share|improve this answer








              New contributor




              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





















              • I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

                – Sathvik K S
                yesterday
















              0














              Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.






              share|improve this answer








              New contributor




              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





















              • I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

                – Sathvik K S
                yesterday














              0












              0








              0







              Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.






              share|improve this answer








              New contributor




              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.










              Another solution would be to restrict the amount of access that the ssh user you are using to connect has. So even if they do connect, they can't do anything. You could do this by creating a new user and setting up correct permissions for just this connection. Additionally you could set up a virutal-environment on your server for that user that is isolated from the rest of your server. If you don't set up a virtual environemnt, you would need to do a security audit on your files to make sure there aren't any 'everybody' permissions on files/directories that would be available to this user.







              share|improve this answer








              New contributor




              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.









              share|improve this answer



              share|improve this answer






              New contributor




              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.









              answered yesterday









              DaveyDavey

              49235




              49235




              New contributor




              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





              New contributor





              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.






              Davey is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.













              • I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

                – Sathvik K S
                yesterday



















              • I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

                – Sathvik K S
                yesterday

















              I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

              – Sathvik K S
              yesterday





              I did edit /etc/passwd to set the user's login shell to rbash. However, people can still type command (although it won't work) and get some errors like command not found or something like that.

              – Sathvik K S
              yesterday











              0














              If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.



              Like discussed here on Ubuntu Stack Exchange:



              Match Group some-group
              #AllowTcpForwarding yes
              X11Forwarding no
              PermitTunnel no
              GatewayPorts no
              AllowAgentForwarding no
              PermitOpen localhost:62222
              ForceCommand echo 'This account can only be used for port forwarding'


              Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.



              If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.






              share|improve this answer




























                0














                If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.



                Like discussed here on Ubuntu Stack Exchange:



                Match Group some-group
                #AllowTcpForwarding yes
                X11Forwarding no
                PermitTunnel no
                GatewayPorts no
                AllowAgentForwarding no
                PermitOpen localhost:62222
                ForceCommand echo 'This account can only be used for port forwarding'


                Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.



                If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.






                share|improve this answer


























                  0












                  0








                  0







                  If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.



                  Like discussed here on Ubuntu Stack Exchange:



                  Match Group some-group
                  #AllowTcpForwarding yes
                  X11Forwarding no
                  PermitTunnel no
                  GatewayPorts no
                  AllowAgentForwarding no
                  PermitOpen localhost:62222
                  ForceCommand echo 'This account can only be used for port forwarding'


                  Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.



                  If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.






                  share|improve this answer













                  If you want users to only be able to use port forwarding, you should be setting up restrictions on the server.



                  Like discussed here on Ubuntu Stack Exchange:



                  Match Group some-group
                  #AllowTcpForwarding yes
                  X11Forwarding no
                  PermitTunnel no
                  GatewayPorts no
                  AllowAgentForwarding no
                  PermitOpen localhost:62222
                  ForceCommand echo 'This account can only be used for port forwarding'


                  Users in the UNIX group some-group will then not be able to do anything but using port forwarding to localhost:62222. ssh must be invoked with -N (“Do not execute a remote command.”) because otherwise ForceCommand will take effect and kill the connection.



                  If you want remote port forwarding, you need to use PermitListen instead of PermitOpen and an appropriate GatewayPorts option.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 17 hours ago









                  Daniel BDaniel B

                  34.6k76587




                  34.6k76587






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1423238%2fhow-to-prevent-users-from-logging-in-via-ssh-manually%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

                      Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

                      VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...