Limiting SSH access to ThinLinc server

Hello, I’m trying to figure out how to limit users from being able to access my vsmserver via direct SSH, but still allow them to connect to agents via the ThinLinc client.

The intention being that only my user accounts that administer the “master server” should be able to have direct access. However, when I limit the users able to ssh via sshd_config, it causes all other users to be unable to access ThinLinc with a failed password error.

I’ve referred to “Disabling SSH access” in this document, but all it seems to indicate is configuration for restricting access via SSH to the machines in my subcluster.

I tried to find it, but what is the proper way to limit ssh access without affecting ThinLinc from being able to connect users to my agents in the subcluster? Would utilizing the " Using ForceCommand" section of the article get me the results I want when done on the vsmserver?


Did you try setting the users’ shell to /usr/bin/thinlinc-login as described in the documentation? This has a few caveats (see below) but should achieve what you’re looking for, as long as you don’t make this change for users who require a login shell via SSH:

Note that this method prevents any terminals inside the session from functioning as well. In most cases it also does not prevent users from running custom scripts and shell commands as they can use a text editor to construct such scripts.