Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? Albert <div class="gmail_quote">On Mon, Dec 17, 2012 at 4:08 AM, Jan Cholasta <<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi, this should work and you don't even have to set the shell to /sbin/nologin (depends on whether you want the users to be able to login to the system by other means or not), as the command directive in authorized_keys takes precedence. The tricky part is escaping the value correctly (there is shell escaping, IPA CSV quote escaping and authorized_keys quote escaping in effect): $ ipa user-mod user --sshpubkey='"command=""/usr/bin/perl -e '\''$|=1; print \""Tunnel created, use your webbrowser to connect to the tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep 60}'\''"",permitopen=""localhost:8834"",no-agent-forwarding,no-X11-forwarding ssh-rsa ..."' Honza<div class="im"> On 17.12.2012 03:23, Peter Brown wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> Hi Albert, Have you tried putting that command in the public key for the user in freeipa and setting the user shell to /sbin/nologin or the equivalent? On 15 December 2012 02:09, Albert Adams <<a href="mailto:biteoag@gmail.com" target="_blank">biteoag@gmail.com</a> </div><div class="im"> <mailto:<a href="mailto:biteoag@gmail.com" target="_blank">biteoag@gmail.com</a>>> wrote: In our environment we have several systems where users require access to the system to setup an SSH tunnel but should not have a shell on the system. Prior to rolling out IPA we accomplished this with the authorized_keys file as follows: command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your webbrowser to connect to the tool\n\";while(1) { print localtime(time) . \"\n\"; sleep 60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding Is there a way to accomplish this in IPA? Regards, Albert _______________________________________________ Freeipa-users mailing list </div> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><div class="im"> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></blockquote> -- Jan Cholasta </blockquote></div>