I would like to lock down an Arch Linux user account to the maximum extent possible. The only functionality required for the account is to accept a non-terminal SSH session which allows the client to create a tunnel to the internet.
The situation is that I want to share my remote connection with a few friends. I will provide them with an SSH key for the account and configure their programs as necessary.
The complication is that I don't want to place 100% faith in their ability to secure the key file. I'd rather minimize the potential damage of a compromise while it's still hypothetical – and take the opportunity to learn more about security.
Is there any way I can achieve a completely isolated and/or locked down account? Can I allow SSH connections but refuse terminal access?
I appreciate any help!
Best Answer
When you add keys to an
authorized_keys
file you have several options to restrict what that key can do. In this situation, you can disallow running any commands. Simply prefix it withcommand=""
.For example:
When the user wants to connect, they have to pass
-N
tossh
. This tells thessh
client not to try running a command, but to just open a connection (and do tunneling if configured). If the client is started without-N
, it'll immediately disconnect.For example: