From owner-freebsd-stable Fri Apr 12 8: 7:58 2002 Delivered-To: freebsd-stable@freebsd.org Received: from oddjob.trewitt.org (adsl-216-102-95-11.dsl.snfc21.pacbell.net [216.102.95.11]) by hub.freebsd.org (Postfix) with ESMTP id 852C937B416 for ; Fri, 12 Apr 2002 08:07:52 -0700 (PDT) Received: from trewitt.org (g4.trewitt.org [10.0.0.4]) by oddjob.trewitt.org (8.11.3/8.11.3) with ESMTP id g3CF7om69210; Fri, 12 Apr 2002 08:07:50 -0700 (PDT) (envelope-from glenn@trewitt.org) Message-ID: <3CB6F846.B70FE562@trewitt.org> Date: Fri, 12 Apr 2002 08:07:49 -0700 From: Glenn Trewitt Reply-To: glenn@trewitt.org X-Mailer: Mozilla 4.79 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Rasputin Cc: stable@FreeBSD.ORG Subject: Re: port forward only account? References: <20020412151758.A21613@shikima.mine.nu> Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You don't need to have a shell for SSH to do port forwarding. i.e., /sbin/nologin will do. This doesn't help with restricting IPs, but you can do that in sshd_config - Glenn Trewitt Rasputin wrote: > Bit of an odd one this - I have users I want to allow to > ssh port forward to localhost on his box from certain IPs, but > not to have a shell. > > What's a suitable shell? It should be able to hold a session open, > but not do anything else. > > First thought is something like: > > fwder:*:1002:1002:SSH port forwarder:/home/fwder:/usr/games/worms > -- > Rasputin :: Jack of All Trades - Master of Nuns :: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message