Using Putty only with port forwarding

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
On a Unix (Solaris) server I have OpenSSH 3.4p1 running.  I have setup
an account which should be used by a number of users only to do port
forwarding to a given port, but they should not be able to execute a
shell or any other command.  In the authorized_keys file of that
account I did

    ssh-rsa <key-data> <comment>

This works as expected when using the OpenSSH client with -N option to
not execute a command on the remote side, i.e.

    ssh -N -f -L 2401:localhost:2401 user@server

However, some users on Windows machines want to use Putty on the
client side, and I couldn't find a way to prevent Putty from trying to
run a shell or a command on the server.  In any case the server would
run /bin/false and disconnect.

One idea I haven't tried yet is to run cat >/dev/null instead of
/bin/false, so the command doesn't exit and the connection is kept.
This is not very elegant however, compared to OpenSSH's -N option.  Is
there a way to cleanly do what I want with Putty?


Re: Using Putty only with port forwarding

Quoted text here. Click to load it

Try "command=/bin/sleep 1000".  That way they'll exit eventually, rather
than hanging around indefinitely after the connections die.  If you need
to keep the connections up indefinitely, put PuTTY's plink in a loop
or something.

As long as there's a forwarded channel opened before the sleep finishes
the sshd will wait for it to finish before exitting (although as it
looks like you're forwarding CVS, that probably won't matter much).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Using Putty only with port forwarding

Quoted text here. Click to load it

No, not at the moment.  It's on the wishlist:


Re: Using Putty only with port forwarding

Urs Thuermann wrote:

Quoted text here. Click to load it

just create a null-shell on the serverside (ie. a small prog that just
echoes the input or such thing) and make it the users shell. This should be
ok. Whatever you specify on client-side can be changed by your users.


peter pilsl

Site Timeline