Ask the Expert

Allowing port-forwarding over SSH while preventing access to appserver

For one of our applications where occassionally the client runs on an external network, we need to hop through a bastion box to the application server, which lies within a SON. We are port forwarding the traffic (TCP2531) over the SSH session.

We are requiring authentication (SecurID) to SSH to the bastion box but have a script that will connect the user from the bastion box to the application server using the following command:

/usr/local/bin/ssh -l username -L
2531:127.0.0.1:2531

Requires Free Membership to View

appserver.domain.com

My question is this: We need the port forwarding for the application but we don't want the user to then have access to a shell. I've tried setting the shell to /dev/null to no avail. Any suggestions on how we can prevent the user from gaining access to the appserver but allow the port forwarding over SSH to work?

Thanks in advance!


tail -f to the rescue! This command is typically used to see the contents of text log files (tail -f /etc/something.log), but it can be helpful in other areas as well.

You are on the right track with /dev/null, but you need to do things a little differently. Try this command:

ssh -f -L 2531:127.0.0.1:2531 tail -f /dev/null

In this example, the tail -f /dev/null is used to keep the session open. This way, you don't have an actual shell session open and running.

Regards,
K


This was first published in March 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: