As per previous discussions I'm going to set up an ssh reverse tunnel from my eeePC on the boat to my server at home. I will use autossh to run the ssh command on the eeepC so that it will get restarted if it dies for any reason.
The ssh command run on the eeePC on the boat will be something like:-
ssh -R 54321:localhost:22 user@my.home.server
this then allows me to do the following to make an ssh connection from the home server to the eeePC on the boat:-
ssh -p 54321 localhost
So far, so good, that works fine (I've checked it out with a netbook at home).
However I'd like to make it as secure as possible, the 'hole' I would like to plug is that I have generated an ssh key without a passphrase on the boat eeePC (which is copied to the 'user' login on the home server) so that the 'ssh -R ....' command runs without requiring any passphrase or password. (I can't use an agent really, it needs to be able to work completely unattended from power up)
The 'user' login is dedicated to the ssh connection so doesn't belong to a real person and doesn't own any files, it would allow passwordless access to a shell though at the moment. Is there any way of allowing ssh to connect still but to prevent it from actually doing anything at all? There's no need for 'user' to be able to do anything and if it can be set up so there's no shell or anything the passwordless login doesn't offer an intruder anything useful really.