Celestial Software

Can you tell me how your ssh server is configured to disallow shell access? I'm using OpenSSH with the no-pty option on the PublicKey authentication option.

Do you have access to the server configuration?

Can you give me a screenshot of the screen after login?

Brian

I'm not using the no-pty option because, as I understand what it does, it doesn't prevent non-interactive commands from running ... again as I understand it. I want literally NO commands to be possible through the login.

This specific SSH daemon is configured in a sparse-root zone on a Sun T5120 running Solaris 10 U8. The primary changes the sshd_config file are:

Port 2222
AllowTcpForwarding yes
X11Forwarding no
PermitRootLogin no

Everything else is in the default configuration values. The other aspect to this is my login user is called "lockuser". This users default login is /bin/false.

So logging into this user with ssh without the -N switch and you get immediately dropped after password authentication. Try to run any command and nothing happens.

Gotcha.

The problem with this is that when /bin/false runs and exits, Absolute assumes the session is over and time to disconnect. Version 8.22 will work with the no-pty option, but not with the /bin/false method.

I've made another update that actually includes an option similar to the -N option. Download 8.24 from the link below and look at the Options->Properties->Connection-SSH2 page. There is a new button on there for 'Options'. There is an option to turn off the shell, which should leave only port forwarding enabled.

www.celestialsoftware.net/telnet/AbsoluteTelnet8.24.exe

Tried it and it appears to work fine. I like the status message in the window saying that only port-forwarding is enabled.

Is there a limit to the number of port forwards you can configure ? I'm not asking for any crazy numbers. I have between 13 and 20 forwards I need all at once.

You might be able to help me with the no-pty stuff. I tried putting this in the lockuser .ssh/authorized_keys file:

from="*.*",no-pty

And I tested the AbsoluteTelnet 8.22 version. It still disconnected immediately after password auth. I've never used the no-pty options before so curious if I set it up right for this test.

There is no limit to the number of port forwardings you can use.

The no-pty option is used in conjunction with PublicKey authentication. You can specify restrictions on a key by key basis in the authorized_keys file. So, you would need to have a keypair either generated by Absolute or ssh-keygen, and the entry in authorized_keys would look something like this:

no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABEQAAAIEApu..............

These are options and restrictions place on individual login keys, not the login user like the "/bin/false" shell method. This could allow you , for example, to have one set of keys that allows tty access for this user and another set of keys that doesn't.

Read the sshd man page section entitled "AUTHORIZED_KEYS FILE FORMAT" for a complete description of this and other options.

You're right, though, about noninteractive commands. no-pty only restricts allocation of interactive shells. Noninteractive commands could still be executed by a client. Replacing the shell seems to be the only way to eliminate *all* command access. However, this also restricts SFTP, which also runs in a shell. However, there are ways around that if you're interested in discussing those.

Brian