SSH tunnel without shell (no terminal) and with group permission

This How-To will show you how to setup a user that is able to use ssh as a tunnel shell proxy, but without shell (tunnel only) / no terminal – in 5 steps and less than 5 minutes. It also shows how to seperate ssh users, tunnel users and normal users by group access in sshd.

My distribution is based on Debian (Ubuntu), your paths might be slightly different, but the configuration is kinda the same for all systems. I presume you already have installed the openssh server and have basic knowledge of unix and how to edit files and move between directories.

– Do all of the following configuration with the root user or with sudo.

1. Enter this in console to add two new groups:

2. In /etc/ssh/sshd_config, add or replace the following lines (best at the end of the file):

3. Add YOU to ur allow-groups, if you don’t do this, you will probably lose access to your server!

Note: You cannot allow tunnel usage for a user that may not log into ssh.

4. Removing the shell

Create a new file (eg. “vi /usr/bin/tunnel_shell“) and make it executable by “chmod +x /usr/bin/tunnel_shell


Security note: Big Papoo added to following comment, I cannot confirm but suggest to consider thinking about: CTRL+Z will escape from the script giving you full access to bash… Try adding “trap ” 20″ (without quotes) at very beginning of script.

Edit the user’s /etc/passwd line and change the shell to “/usr/bin/tunnel_shell


5. Finally, “/etc/init.d/sshd restart” and enjoy ­čśë

SSH Settings
You are usually behind a proxy if you need to tunnel your connections, don’t forget to set your (company’s / school’s) proxy in the putty settings!
(To use the tunnel, in your browser or application set localhost with port 9999 (socks5) as proxy.)

Useful links:
Putty []Feel free to comment and/or share this article!


5 thoughts on “SSH tunnel without shell (no terminal) and with group permission

  1. Hello,

    The problem with the above script is that it will leave 2 zombie processes on the remote SSH server: SSH process and /usr/bin/tunnel_shell.
    When opening the tunnel from your local workstation, you won’t be able to send via SSH any SIGNAL, you can only forcibly close the running terminal, while the SSH session along with the shell script will remain opened on the remote SSH server

  2. Pingback: How-to: ssh tunneling only access #programming #computers #development | SevenNet

  3. Pingback: Configuring a self-restoring reverse SSH tunnel – PCR's notepad

Leave a Reply

Your email address will not be published. Required fields are marked *