Bending bits since 1984

Ssh tunnel without login shell.


A user needs secure access to a service behind a firewall. In this case the users system is Windows 10 and the server runs Debian Linux.

The user do not need a shell on the server, and it’s always good to be restrictive with access.



First of all you need to create a account for the user on the server.

There’s going to be a lot of sudoing, which appears to be best practice. I prefer just running sudo -i and be done with it.

The user will login and create the ssh tunnel using a rsa key instead of a password. However, some systems disables any login for accounts without a password. So to be on the safe side it’s best to set a password.

You can use something like openssl rand -base64 32 or date +%s | sha256sum | base64 | head -c 32 ; echo or just use your favorite password generator.

Copy the password, run adduser and answer the questions.
adduser username

Disable shell access for the user.
chsh -s /usr/sbin/nologin username

Then create a ssh folder for the user and set appropriate permissions.
mkdir /home/username/.ssh
chown username:username /home/username/.ssh
chmod 700 /home/username/.ssh

Generate a ssh rsa keypair.

ssh-keygen -f /home/username/.ssh/rsa_key
Leaving the password empty is possible as long as one realize that the keyfile is the password and should be treated accordingly.
You should now have a private key named rsa_key and a public key named  rsa_key is just an example, you can name the keyfiles anything.

In order to allow ssh login the key must be added to the users authorized_keys. And permissions need to be set.

cd /home/username/.ssh
cat >> authorized_keys
chown username:username *
chmod 600 *

Finally the private key needs to be placed on the users computer. One way would be to simply use scp or pscp to transfer it.

Once the private key is copied you can delete it from the server.


For the client we’ll use plink.exe

But before running plink the private key generated by ssh must be converter to a format readable by plink. Luckily the linked page with plink also contains the program we need. So go ahead and get puttygen.exe as well.

Then just run puttygen.exe and click “Load” to select and load your (the users) private key.

Once the key is loaded you just click “Save private key” to save it. Save as rsa_key.ppk or similar.

Close puttygen.

Feel free to delete the old key.

Make sure the key is saved at a safe place and that only the user who needs it has permission to read it.

Finally you are ready to create a ssh tunnel.

To give the user access to port 8080 execute plink like this.

plink.exe -i rsa_key.ppk -l username -L 8080:

To make your users life easier you could put the command in a .bat file 🙂

You may have missed