A script to launch user sshd limited to creation of reverse tunnels

sshd_tunnel.sh

#!/bin/sh

AUTHORIZED_KEYS=authorized_keys
HOST_RSA_KEY=ssh_host_rsa_key
SSHD=/usr/sbin/sshd
PORT=8443

case "$AUTHORIZED_KEYS" in /*) ;; *) AUTHORIZED_KEYS=$PWD/$AUTHORIZED_KEYS ;; esac
case "$HOST_RSA_KEY"    in /*) ;; *) HOST_RSA_KEY=$PWD/$HOST_RSA_KEY ;; esac

if [ ! -e $AUTHORIZED_KEYS ]; then
	echo "Didn't find authorized keys file $AUTHORIZED_KEYS"
	echo "Since password authentication is disabled you will not be able to login"
	exit
fi

if [ ! -e $HOST_RSA_KEY ]; then
	echo "Didn't find preexisting host keys, will generate $HOST_RSA_KEY"
	ssh-keygen -t rsa -f $HOST_RSA_KEY -P ''
fi

TMP_SSHD_CONFIG=`mktemp`
trap "rm -f $TMP_SSHD_CONFIG" EXIT INT TERM HUP

cat > $TMP_SSHD_CONFIG << EOF
Port $PORT
HostKey $HOST_RSA_KEY
UsePrivilegeSeparation no

# otherwise we won't catch which ports are open
LogLevel DEBUG

PubkeyAuthentication yes
AuthorizedKeysFile $AUTHORIZED_KEYS

PidFile /dev/null

UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication no

# User-launched sshd will not be able to change user anyway
# yet we can prevent it from vain attempts
AllowUsers $USER

ForceCommand echo "no shell access is given"
AllowTcpForwarding remote
X11Forwarding no
PermitTunnel no
EOF

SSHD_CONFIG=$TMP_SSHD_CONFIG

$SSHD -De -f $SSHD_CONFIG 2>&1 | awk "/^debug1: Local forwarding listening/ { print $1 } /^debug1:/ { next } { print $1 }"