There are times where you may want to disallow a user to run any commands on the server, without completely disabling the account. For example, to allow an account to open port forwards, but no shell access.
This can be achieved by using the ForceCommand directive in sshd_config file. Sample config:
Match User limiteduser
AllowAgentForwarding no
ForceCommand echo 'This account can only be used for port forward'In addition, you may also want to limit port forwarding to a specific set. it can be done using PermitOpen directive:
PermitOpen localhost:62222Other options of interest:
AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts noTo allow SFTP in a chrooted directory:
Match User sftpuser
ChrootDirectory /path/to/jail
ForceCommand internal-sftp
Leave a Reply