Sometimes you need a dedicated Linux user account—just for SSH tunneling. No password logins, no full shell access, just a secure way to access internal services like MySQL, PostgreSQL, or even web dashboards via SSH key authentication.
In this article, we’ll walk through setting up a user called userexample on Debian 12, which can be used for SSH tunneling without a password, while keeping your system secure.
1. Create a User Without a Password
Run the following command to create a new user:
|
0 1 2 |
sudo adduser --disabled-password --gecos "" userexample |
--disabled-password: disables interactive password logins.--gecos "": skips the interactive prompts for full name and other info.
This will create a home directory at /home/userexample and set up the environment, but no password will be usable to login.
2. Add Your SSH Key
Now create the .ssh directory and upload your public key:
|
0 1 2 3 |
sudo mkdir -p /home/userexample/.ssh sudo nano /home/userexample/.ssh/authorized_keys |
Paste your public SSH key into the file, like this:
|
0 1 2 |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExampleKey== you@laptop |
Then fix the permissions:
|
0 1 2 3 4 |
sudo chown -R userexample:userexample /home/userexample/.ssh sudo chmod 700 /home/userexample/.ssh sudo chmod 600 /home/userexample/.ssh/authorized_keys |
This ensures the SSH service will accept the key.
3. Optional: Restrict the User’s Shell
If the user is only intended for tunneling and should not access a shell:
|
0 1 2 |
sudo usermod -s /usr/sbin/nologin userexample |
This prevents shell access. However, if you do want the user to be able to manually run SSH tunnels or debug, leave the default shell (/bin/bash) as is.
4. Secure SSH Configuration
To make sure no user can log in using a password, update your SSH config:
|
0 1 2 |
sudo nano /etc/ssh/sshd_config |
Ensure the following lines are present:
|
0 1 2 3 |
PasswordAuthentication no PubkeyAuthentication yes |
Then restart the SSH service:
|
0 1 2 |
sudo systemctl restart ssh |
5. Example: Tunnel MySQL Access
Let’s say your Debian server is at 192.168.88.10, and MySQL is listening on localhost:3306.
From your laptop, create the SSH tunnel like this:
|
0 1 2 |
ssh -i ~/.ssh/id_ed25519 -L 3307:127.0.0.1:3306 userexample@192.168.88.10 -N |
This forwards local port 3307 to the remote MySQL port securely. Now, in DBeaver, TablePlus, or any SQL client:
- Host:
127.0.0.1 - Port:
3307 - Use your MySQL credentials as usual
You’ve just tunneled your way into the remote database—without opening up your firewall or using VPN.
Final Notes
This setup is ideal for developers, sysadmins, or automation systems needing secure internal access without compromising on password security.
If you’re setting up automated scripts or multi-hop bastion access, this is a solid and scalable approach. Consider pairing this with fail2ban or UFW for extra protection.