[RESOLVED] SSH tunnel access without a working shell?

[GetCool]

I have a strange request that I'm not sure is possible, but here it is:

What I want to do is give a bunch of Windows clients access to samba shares on my server over an SSH tunnel. I have found a solution on these forums that is pretty easy to do: just run Putty on the Windows client, establish an SSH connection and tunnel port 139, and you can go right to the share using Windows Explorer. The problem with this, however, is that it requires the user to log in to a shell using Putty to establish the tunnel. I don't want this.

Is there a way that I can let users tunnel port 139 without having shell access? I have looked at scponly and rssh, but I don't know if either of those will work here since they are meant for SCP/SFTP (plus I wouldn't be able to use Putty anymore). On that note, I should mention that I don't want to use SCP/SFTP because I want the Windows clients to be able to access the shares as seamlessly as possible so the files can be accessed directly from programs.

I also thought about chrooting users to their home dirs or something, but I don't know if that's the best idea or not. Any suggestions?

Thanks.

[trossachs]

I'm glad you have posted this question as I would also like to know how this would work. I've setup SSH tunnelling with M$ and Nix boxes, but a straight thru, username/password arrangement would be pref.

Or even, using the same kind of encryption key depending on which client generated the key.

[bone]

I have never did anything like this before, so I might just be rambling on, but couldnt you use stunnel to accomplish this?

Now you guys have me on a small tangent, and I am going to attempt to setup something like this, just to see how its done. Great, just when i thought I could sleep at work, you guys give me a mission.

[trossachs]

Stunnel? Will have to take a look at this. Post your results here, will definately be interested. Was very pleased to have sorted out my original tunnel spec with Samba.

Always room for improvement!

[GetCool]

[trossachs]

Am I to assume that we have all setup Samba > Win2k via SSH and now we are looking for a non-terminal session environment?

[Chris W]

Perhaps the plink.exe tool in the PuTTY suite could do the trick. Something like:

[GetCool]

[fleed]

Maybe add something to /etc/ssh/sshrc? or
command="command" in $HOME/.ssh/authorized_keys?

These are the options I thought could help you after a quick glance through `man sshd`. Maybe you could also use true for the users' shell config in /etc/passwd but you need to experiment with it to see if that doesn't stop them from logging in.

[Lori]

I don't know why you don't like the VPN scenario... if the clients are NT based machines, you don't even need to install any extra software, but use the built-in IPsec implementation with a shared key. Install racoon or isakmpd on the server and configure it to require encryption with the IP class you want to secure. I had a working configuration with Windows XP workstations and a FreeBSD server running racoon. And this way all communications are secured. Looks like a pretty good option to me...
_________________
"The hunt is sweeter then the kill."
Registered Linux User #176911

[trossachs]

Did you use OpenVPN? Because I found that it was a real pain in the butt to configure hence the reason why I went for the SSH/Putty solution.

[GetCool]

[GetCool]

I figured out how to do it! The solution was something I thought of originally but never actually tried: to use scponly.

All I had to do was emerge scponly, add the scponly shell to /etc/shells: