funneld

An SSH service for funneling login users through a single system user.

Overview

funneld is a fairly simple ssh server written in Python. The main use-case is for presenting a specific program to users using ssh to access a host. funneld solves the additional problem of needing to run a web-service or other registration mechanism. The first time any username used to login, it is immediately associated with the incoming public key. Subsequent logins for the username will require the original public key. Every user logging in is forced to execute the shell of the configured "funnel user".

Installation

You can install funneld with pip:

pip install funneld

Configuration

A system user will be needed for running the desired shell program. In this case we create the user foobar with the htop program as the shell:

useradd -s /usr/bin/htop foobar

Running

The service will route all logins through the shell of the specified user:

funneld --port 2200 foobar

The service will be made available on port 22 by default. Change it with the --port flag.

Public Keys

The public keys that are bound to usernames are stored in the home directory of the funnel user:

/home/foobar/.ssh/$login_user.pub

Logging in

If the funnel user is specified as foobar was created with the shell set to /usr/bin/htop then logging in as any user will result in running it:

useradd -s /usr/bin/htop foobar
funneld --port 2200 foobar

# login to execute htop
# and claim the "anything" username
ssh -p 2200 anything@localhost

# public key saved to /home/foobar/.ssh/anything.pub