Restricting Access to SSH Tunnels in Cygwin

I've got an SSH server set up at home that I use to secure my web browsing while I'm using public WiFi and I've found that I'd like to share that security with some of my friends. Unfortunately, doing this means that I'd have to give them access to run shell commands on my computer, something that I'm NOT comfortable doing.

Today I stumbled across a tip that will allow me to create a generic account that will allow my friends to use my SSH tunnel to pass traffic, but not allow them to get a command prompt on my box, and it's ridiculously easy assuming you already have an SSH server up and running with access to a public IP. If you don't, read Gina Trapani's article on how to do that here.

1. Create a user account (with a password) on your Windows machine. I chose to name this account "sshtunnel". Make sure that this account is restricted as it will also allow people to log into your regular windows computer.
2. Start > Run > "runas /u:administrator cmd"
3. In the command prompt, type "C:\cygwin\cygwin.bat"
4. In the Cygwin window, run the following command to add your new account (sshtunnel in my example) to the SSH server:

mkpasswd -l -u sshtunnel >> /etc/passwd

5. Switch back to the Windows command prompt and type:

notepad C:\cygwin\etc\passwd

6. Scroll down to the entry for "sshtunnel" and change the end of the line from:

   :/home/sshtunnel:/bin/bash

   to

   :/home/sshtunnel:/bin/false

You should now be able to share the username and password for the sshtunnel account with your friends while not allowing them to log into your computer and execute commands. You should test this to be sure by trying to SSH into your computer using the "sshtunnel" account. What you should see is the message of the day followed immediately by a "Connection to [your server] closed." If you see this then it worked!

Your friends can connect to the tunnel like this:

On Windows

1. Download, install, and run PuTTY
2. Enter the IP address and port (usually 22). Be sure to name and save the connection so that you don't have to type this in every time.
3. In the "Category" tree on the left side of the PuTTY window, scroll down to "Connection > SSH > Tunnels" and enter the port you want to create on your friend's computer for their end of the tunnel. In this example I chose to use port 9090. Also, choose the "Dynamic" option.
4. Be sure to save the connection and log in.
5. Now you need to configure Firefox to use your brand spanking new secure tunnel.

On Linux

1. In the terminal, run the following command:

   ssh -ND 9090 sshtunnel@YOURSERVER -p 22

   The "-p 22" isn't explicitly required, but if you've set your server to use a port other than 22, you'll need to specify that here.
2. As long as that terminal window is open, so is your tunnel.
3. There is no step 3, I just wanted to highlight how much cooler Linux is than Windows when it comes to networking.

Configure Firefox

1. In the Firefox menu bar, go to "Tools > Options > Advanced > Network tab > Connection Settings"
2. Set the SOCKS Host to "localhost" and port to "9090"
   
3. That's it! Your friends should now be able to browse the web over your secure tunnel without being able to execute commands from the prompt.
4. These settings are static, so when your friends want to stop using your tunnel, they'll have to check the "No proxy" button in this window.
5. I chose to use the FoxyProxy add-on to manage this for me.