Setting up a restricted SSH tunnel user on Debian

Today, I set up a user especially for SSH tunneling using Putty and my Debian vServer. The user is able to securely log in using SSH, but is not given shell access.

1. Generate an SSH key for the user. You can generate SSH keys with openssh, but I’ve used [url=http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html]PuttyGen[/url] on my Windows client:

Start PuttyGen, Select “SSH-2 DSA” at the bottom, push “Generate”. If you enter a passphrase to protect your private key, you’ll need to enter it every time you open the tunnel connection. Save the private key and leave the window open. I’ve called mine “tunnel.ppk”.

2. On the Linux server, you can either add a new user or reuse an existing user. Then, create ~/.ssh/ if it doesn’t exist and edit ~/.ssh/authorized_keys, copy and paste the public key from the PuttyGen window. To restrict access to, well, basically no commands, prepend a command that does nothing other than keep the connection alive:

[code]mkdir ~/.ssh/
chmod 700 ~/.ssh/[/code]

~/.ssh/authorized_keys (chmod 600):

[code]command=”while :;do date;sleep 50;done” ssh-dss AAAAB3NzaC1yc2EAAAABJQ….[/code]

This will put the user logging in using the key into a loop that outputs the date every 50 seconds to keep the connection alive.

3. On the client, create a new connection in Putty. Input your server details. Go to “Connection -> Data”, put the user name into the “Auto-login username” field. Under “Connection -> SSH -> Auth”, at the bottom, select the private key file you’ve created in step 1. To set up a dynamic SOCKS tunnel, go to “Connection -> SSH -> Tunnels”, enter a port number into the Source port field (eg. 1080), select “Dynamic” at the bottom, and press “Add”. Save your profile.

4. Connect in Putty. You will see a window echoing the date every once in a while. You can now socksify your connections to 127.0.0.1:1080 (the port you chose in step 3).