Linux – how to setup a ssh acount with no terminal but port forwarding

linuxport-forwardingputtyssh

I am trying to set up a new user account I can give to friends so they can SSH into my forward computer, and only allow forwarding of certain ports.

I do not want my friends to have a shell, or be able to change what ports to where they are allowed to forward.

example session: joe(friend) connects using PuTTY (that I have pre-set, he isn't good with computers) to example.com(my Internet facing computer) forwarding ports 8080,1990,25565 to him(with what ever end ports he wants, preferably they stay the same numbers)
example ssh command to do similar (but he can still change the ports on my computer!)

ssh -N restricteduser@example.com -p443 -L8080:192.168.1.2:8080 -L1990:127.0.0.1:1990 -L25565:127.0.0.1:25565

then, same story with other friend smith(same ports, same user even) except he is using linux, so cant use putty.

is it possible to also leave default SSH functinality for all other users but this one?

I found this when I was searching google, but alas, I did not quite understand what was being suggested, and I don't think they covered restricting port forwarding

Best Answer

The simplest way that comes to mind for me is to disable SFTP, and change the shell to /usr/sbin/nologin or the like (a program that simply prints "This account is currently not available." and exits)

If you have no worries about them storing files under their user on your machine, then you're an /etc/passwd away from a solution. If you're worried about them filling your hard drive with junk, might I suggest setting up quotas? ;)

As to restricting ports usable, the "permitopen" in sshd_config should serve that purpose nicely. It won't quite do what you want, as it can only disallow all except a given set of host targets for -L forwards, but it might be feasible to run a separate sshd specifically for these users, given you have such specific needs for their restriction.