From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Locking down a user with a shell account and SSH access
Date: Tue, 02 Jul 2013 09:44:38 +0200 [thread overview]
Message-ID: <51D284E6.9030000@gmail.com> (raw)
In-Reply-To: <CAN0CFw1jGuJ_N+5WEM5yWFspYFadVAxRAtUpzxFGXEsV1YZxOg@mail.gmail.com>
On 02/07/2013 08:33, Grant wrote:
>>> My backup user needs a shell on the backup server in order to execute
>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>> order to SSH in. My authorized_keys file is locked-down. The second
>>> field for the user in /etc/shadow is an exclamation point which I
>>> think means the user can not log in with a password. Should I take
>>> any additional steps to prevent that user from logging in and not
>>> being subject to the authorized_keys restrictions?
>>
>> What about "PasswordAuthentication no"?
>
> Can that be set for a single user? I have a normal user who needs to
> log in via SSH with a password and a backup user who only needs to run
> rsync via SSH keys. If not, does the exclamation point in /etc/shadow
> prevent the user from logging in without the SSH key?
Depends.
The user doesn't have a Unix password, so if the system prompts for one
it cannot succeed and the login fails.
But sshd has other implementations for authentication to, not just
classic Unix. If it uses PAM, then PAM could in theory do anything, even
using AD to authenticate with a password.
So if your sshd config uses Unix passwords and keys ONLY (this is the
norm), then what you describe above does what you want. To be sure, you
need to audit sshd_config and your pam setup
--
Alan McKinnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2013-07-02 7:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
2013-07-01 23:34 ` Neil Bothwick
2013-07-02 6:33 ` Grant
2013-07-02 6:39 ` Adam Carter
2013-07-02 7:44 ` Alan McKinnon [this message]
2013-07-18 16:21 ` Grant
2013-07-18 18:32 ` Alan McKinnon
2013-07-18 19:58 ` Paul Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51D284E6.9030000@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox