[Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Jan Cholasta
jcholast at redhat.com
Mon Dec 17 09:08:59 UTC 2012
Hi,
this should work and you don't even have to set the shell to
/sbin/nologin (depends on whether you want the users to be able to login
to the system by other means or not), as the command directive in
authorized_keys takes precedence.
The tricky part is escaping the value correctly (there is shell
escaping, IPA CSV quote escaping and authorized_keys quote escaping in
effect):
$ ipa user-mod user --sshpubkey='"command=""/usr/bin/perl -e '\''$|=1;
print \""Tunnel created, use your webbrowser to connect to the
tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep
60}'\''"",permitopen=""localhost:8834"",no-agent-forwarding,no-X11-forwarding
ssh-rsa ..."'
Honza
On 17.12.2012 03:23, Peter Brown wrote:
> Hi Albert,
>
> Have you tried putting that command in the public key for the user in
> freeipa and setting the user shell to /sbin/nologin or the equivalent?
>
>
> On 15 December 2012 02:09, Albert Adams <biteoag at gmail.com
> <mailto:biteoag at gmail.com>> wrote:
>
> In our environment we have several systems where users require
> access to the system to setup an SSH tunnel but should not have a
> shell on the system. Prior to rolling out IPA we accomplished this
> with the authorized_keys file as follows:
>
> command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
> webbrowser to connect to the tool\n\";while(1) { print
> localtime(time) . \"\n\"; sleep
> 60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding
>
> Is there a way to accomplish this in IPA?
>
> Regards,
> Albert
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Jan Cholasta
More information about the Freeipa-users
mailing list