[Freeipa-users] Allow IPA users to create SSH tunnel with no shell

Jan Cholasta jcholast at redhat.com
Mon Dec 17 09:08:59 UTC 2012 

Hi,

this should work and you don't even have to set the shell to 
/sbin/nologin (depends on whether you want the users to be able to login 
to the system by other means or not), as the command directive in 
authorized_keys takes precedence.

The tricky part is escaping the value correctly (there is shell 
escaping, IPA CSV quote escaping and authorized_keys quote escaping in 
effect):

$ ipa user-mod user --sshpubkey='"command=""/usr/bin/perl -e '\''$|=1; 
print \""Tunnel created, use your webbrowser to connect to the 
tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep 
60}'\''"",permitopen=""localhost:8834"",no-agent-forwarding,no-X11-forwarding 
ssh-rsa ..."'

Honza

On 17.12.2012 03:23, Peter Brown wrote:
> Hi Albert,
>
> Have you tried putting that command in the public key for the user in
> freeipa and setting the user shell to /sbin/nologin or the equivalent?
>
>
> On 15 December 2012 02:09, Albert Adams <biteoag at gmail.com
> <mailto:biteoag at gmail.com>> wrote:
>
>     In our environment we have several systems where users require
>     access to the system to setup an SSH tunnel but should not have a
>     shell on the system.  Prior to rolling out IPA we accomplished this
>     with the authorized_keys file as follows:
>
>     command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
>     webbrowser to connect to the tool\n\";while(1) { print
>     localtime(time) . \"\n\"; sleep
>     60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding
>
>     Is there a way to accomplish this in IPA?
>
>     Regards,
>     Albert
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list