C.2.  Disabling shell access

User sessions are normally started via the user's configured shell, so restricting the shell is a good method to restrict what kind of sessions the user can start. Primarily this is usefull to prevent users from running custom commands via SSH.

C.2.1.  Changing the configured shell

Commonly the user's shell is configured to /bin/false in order to disable shell access. Unfortunately this also prevents access to ThinLinc as it needs to run the commands thinlinc-login and /opt/thinlinc/etc/xsession via the user's shell. As an alternative it is possible to configure /usr/bin/thinlinc-login as the shell. This will allow ThinLinc to function whilst preventing any other type of session.

Note that this method prevents any terminals inside the session from functioning as well. In most cases it also does not prevent users from running custom scripts and shell commands as they can use a text editor to construct such scripts.

C.2.2.  Using ForceCommand

OpenSSH has the ability to ignore the user's configured shell and run a different command instead. This makes it possible to keep a normal shell for the user and only restrict access when connecting via SSH. However this prevents the native ThinLinc client from connecting as it needs to be able to run the command thinlinc-login with specific arguments. The following script can be specified as ForceCommand to allow only ThinLinc access via SSH:

thinlinc-login -c "${SSH_ORIGINAL_COMMAND}"

It is also possible to apply this restriction only to a subset of users by using the Match setting. Please see OpenSSH's documentation for how to configure this mechanism.