Hello. I once read somewhere that it's possible to limit SSH pubkeys to 'tunnel-only'. I can't seem to find any information about this in any of the usual places. I'm going to be deploying a few servers in a couple of days and I'd like them to log to a central server over an SSH tunnel (using syslog-ng) however I'd like to prevent actual logins (hence 'tunnel-only'). Can this be done with OpenSSH? I'd like to try and stay away from the complexities of a chrooted-stunnel for now... cheers, M -- pgp: http://www.darklogik.org/pub/pgp/pgp.txt 0160 A46A 9A48 D3B0 C92F B690 17FB 4B72 0207 ED43 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 825 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050922/6912e42c/attachment.bin
Hi,> I once read somewhere that it's possible to limit SSH pubkeys to > 'tunnel-only'. I can't seem to find any information about this > in any of the usual places. > > I'm going to be deploying a few servers in a couple of days and > I'd like them to log to a central server over an SSH tunnel (using > syslog-ng) however I'd like to prevent actual logins (hence > 'tunnel-only'). > > Can this be done with OpenSSH? I'd like to try and stay away from > the complexities of a chrooted-stunnel for now...I think you can use /bin/false as shell, and then use ``ssh -nN'' from the client. I've not tested this, but I guess this should work. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
On Thu, Sep 22, 2005 at 04:27:18PM +0100, markzero wrote:> Hello. > > I once read somewhere that it's possible to limit SSH pubkeys to > 'tunnel-only'. I can't seem to find any information about this > in any of the usual places. > ... > Can this be done with OpenSSH? I'd like to try and stay away from > the complexities of a chrooted-stunnel for now...See the section "AUTHORIZED_KEYS FILE FORMAT" in the sshd man page. There is also a discussion of this in the O'Reilly _SSH_ book. Peace, david -- David H. Wolfskill david@catwhisker.org Prediction is difficult, especially if it involves the future. -- Niels Bohr See http://www.catwhisker.org/~david/publickey.gpg for public key.