Creating a Secure SSH Tunnel User

23rd of July, 2009 | Filed under How To's

It appears that I have the chronic problem of keeping sites interesting and ongoing due to not providing enough new content. So here I give you a sporadic new post.

SSH Tunneling is great but it is often forgotten that the tunnel is running on a user with access rights to the server.

To combat this you can create a specific user that can only tunnel over ssh whilst not allowing that user to browse directories, execute stuff, etc.

First of all you will need to create a user using adduser or useradd (depending how retarded your distro is) and securely jail it to a directory. Also make sure that you can log in to this user over ssh. I won’t go through these steps since they can be easily found on the web.

Next, add this to the end of the user profile:
./jail.sh
exit 0

The user profile can be found in its home directory under the name of .profile or .bash_profile. Again, this depends on your distro.

Next create a file called jail.sh in the home directory and use something like this:
#!/bin/sh
echo "SSH Tunnel user, press a key to exit."
read x
exit


Save the file and chmod it:
chmod +x jail.sh

If you now log in to the user via ssh it will keep the session open until a key is pressed. This will allow you to ssh tunnel over that specific account whilst denying any other actions that may harm you if someone gets a hold of that account.

For the actual tunneling itself I recommend using PuTTY or Tunnelier for Windows.
For Linux, just use something along the lines of the following command:
ssh -fqND 8086 sshtunnelusr@my.ip.com -p 4423

8086 is the port of the local SOCKS proxy.
sshtunnelusr is the remote ssh server user.
my.ip.com is the remote ssh server IP.
4423 is the remote ssh server port, default is 22.

Questions? Ask them in the comment section or contact me.