/bin/nologin and ssh tunnels

Toggle sidebar Toggle sidebar
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
69,930
13,457
126
www.anyf.ca
If I set /bin/nologin as the shell of a user, will this also deny tunneling? Like it makes the ssh console just keep asking for a password but technically they're still "logging in" they're just not getting bash. So is it bash that handles tunneling, or is it something else? I just want to ensure that I'm also disabling tunneling completly for users when I do /bin/nologin. I just want to allow other services such as sftp/ftp.
 
K

Kakumba

Senior member
Mar 13, 2006
610
0
0
I could be wrong, but I believe that you are completely denying that user from getting a console session. Or any session at all, except maybe samba, if this user was setup to use samba on a file server? I will have to try this tonight on my samba box..
 
kamper

kamper

Diamond Member
Mar 18, 2003
5,513
0
0
No, tunnelling is not taken care of by the shell, it's done by ssh and sshd. If the user gets booted right away there might not be time for any tunnels to be made, not sure. However, the correct way to go about this would probably be to disable tunnelling in sshd_config. Scponly is a shell that is designed for allowing only scp. I'm not aware of anything that allows sftp but not a full shell.
 
B

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
All I can say is, using /bin/nologin works fine for my vsftpd and Samba users. I don't think I'm using it for anything else.

The tunnel should be completely independent from your shell so I would bet it would work fine.
 
B

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Also, I'm sure you will have to use plink to open the tunnel instead of putty (plink comes with putty) if you are using /bin/nologin.
 
kamper

kamper

Diamond Member
Mar 18, 2003
5,513
0
0
Originally posted by: Brazen
All I can say is, using /bin/nologin works fine for my vsftpd and Samba users. I don't think I'm using it for anything else.

The tunnel should be completely independent from your shell so I would bet it would work fine.
Click to expand...
Yes, the tunnel is independent from your shell, but when you try to login and /bin/nologin boots you, your ssh connection gets shut down. ftp and samba are different because they don't try to invoke your shell.
 
B

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Originally posted by: kamper
Originally posted by: Brazen
All I can say is, using /bin/nologin works fine for my vsftpd and Samba users. I don't think I'm using it for anything else.

The tunnel should be completely independent from your shell so I would bet it would work fine.
Click to expand...
Yes, the tunnel is independent from your shell, but when you try to login and /bin/nologin boots you, your ssh connection gets shut down. ftp and samba are different because they don't try to invoke your shell.
Click to expand...

that's why you need to use plink. plink doesn't invoke a shell.
 
kamper

kamper

Diamond Member
Mar 18, 2003
5,513
0
0
Originally posted by: Brazen
that's why you need to use plink. plink doesn't invoke a shell.
Click to expand...
From the documentation, it sure looks like it does. Anyway, you're right that port forwarding is possible without running a shell. "ssh -N" allows one to forward ports with a nologin user.
Originally posted by: RedSquirrel
Yeah but don't want to disable it completly. But yeah does not seem its possible to do what I wanted, so no biggie.
Click to expand...
I don't remember which version of ssh in which this was introduced, but you can use a Match section in sshd_config to disable port forwarding by group, user or client ip. I'd stick all users that you want to have this setup in a common group and just restrict everything for them. Or, conversely, restrict everything by default and re-enable things for specific administrators (probably safer).
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom