Skip to main content

How to create an SSH user only for tunnel

You can add a user without a valid login shell:
# useradd -s /sbin/nologin dbuser
Leave password unset and make SSH keys:

(on local machine)
$ ssh-keygen

(on remote machine)
# su -s /bin/bash - dbuser
$ cat >>~/.ssh/authorized_keys
At this point, you can use SSH to create the tunnel:
ssh -TfnN -L localhost:<local_port>:localhost:<db_server_port> [email protected]_host
ssh will go to background immediately after authenticating, and will not attempt to execute any command, but the tunnel will be open. However, SSH will not execute any shell or command as the remote user; /sbin/nologin will kick it out every time.

$ ssh [email protected]_host
Last login: Fri Jun 10 09:27:24 2016 from local_host
This account is currently not available.
Connection to remote_host closed.

Post a Comment

Popular posts from this blog

How to reset password of Jenkins

Reset password of JenkinsPrefer way, No securities were harmedSee also:
What is Jenkins' initial admin password

To reset it without disabling security if you're using matrix permissions (probably easily adaptable to other login methods): In config.xml, set disableSignup to false.Restart Jenkins.Go to the Jenkins web page and sign up with a new user.In config.xml, duplicate one of the <permission>hudson.model.Hudson.Administer:username</permission> lines and replace username with the new user.If it's a private server, set disableSignup back to true in config.xml.Restart Jenkins.Go to the Jenkins web page and log in as the new user.Reset the password of the original user.Log in as the original user. Optional cleanup: Delete the new user.Delete the temporary <permission> line in config.xml. Alternative way:
ssh to the server, disable authentication, set the password via the Jenkins Web UI, then enable authentication.