X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org To: cygwin AT cygwin DOT com From: =?ISO-8859-1?Q?Ren=E9_Berber?= Subject: Re: Limit access via openssh? Date: Wed, 14 Nov 2007 15:02:49 -0600 Lines: 33 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) In-Reply-To: X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Tony Benham wrote: > This isn't strictly a cygwin question, but I'm using cygwin ssh implement= ation. > I have an external user that uses ssh & public key to open a tunnel to my > windows server running cygwin. They use the tunnel to connect to an apache > server inside our network. This all works fine. What I want to do is to l= imit > their access to only the apache server, and prevent them opening terminal= s on > our server ? > Is this possible ? Yes. The way to do it is using the options on the authorized_keys file, see 'man 8 sshd' section 'AUTHORIZED_KEYS FILE FORMAT'. The format of ~/.ssh/authorized_keys is: TYPE KEY COMMENT you use the format with options: options TYPE KEY COMMENT where, in your case, options are: no-pty,no-X11-forwarding,no-agent-forwarding,permitopen=3D"host:port" (change host:port to the values used by your tunnel). --=20 Ren=E9 Berber -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/