public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Locking down a user with a shell account and SSH access
@ 2013-07-01 23:24 Grant
  2013-07-01 23:34 ` Neil Bothwick
  2013-07-18 19:58 ` Paul Hartman
  0 siblings, 2 replies; 8+ messages in thread
From: Grant @ 2013-07-01 23:24 UTC (permalink / raw
  To: Gentoo mailing list

My backup user needs a shell on the backup server in order to execute
rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
order to SSH in.  My authorized_keys file is locked-down.  The second
field for the user in /etc/shadow is an exclamation point which I
think means the user can not log in with a password.  Should I take
any additional steps to prevent that user from logging in and not
being subject to the authorized_keys restrictions?

- Grant


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
@ 2013-07-01 23:34 ` Neil Bothwick
  2013-07-02  6:33   ` Grant
  2013-07-18 19:58 ` Paul Hartman
  1 sibling, 1 reply; 8+ messages in thread
From: Neil Bothwick @ 2013-07-01 23:34 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 662 bytes --]

On Mon, 1 Jul 2013 16:24:29 -0700, Grant wrote:

> My backup user needs a shell on the backup server in order to execute
> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
> order to SSH in.  My authorized_keys file is locked-down.  The second
> field for the user in /etc/shadow is an exclamation point which I
> think means the user can not log in with a password.  Should I take
> any additional steps to prevent that user from logging in and not
> being subject to the authorized_keys restrictions?

What about "PasswordAuthentication no"?


-- 
Neil Bothwick

Every time I jump on the bandwagon all its wheels fall off.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-01 23:34 ` Neil Bothwick
@ 2013-07-02  6:33   ` Grant
  2013-07-02  6:39     ` Adam Carter
  2013-07-02  7:44     ` Alan McKinnon
  0 siblings, 2 replies; 8+ messages in thread
From: Grant @ 2013-07-02  6:33 UTC (permalink / raw
  To: gentoo-user

>> My backup user needs a shell on the backup server in order to execute
>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>> order to SSH in.  My authorized_keys file is locked-down.  The second
>> field for the user in /etc/shadow is an exclamation point which I
>> think means the user can not log in with a password.  Should I take
>> any additional steps to prevent that user from logging in and not
>> being subject to the authorized_keys restrictions?
>
> What about "PasswordAuthentication no"?

Can that be set for a single user?  I have a normal user who needs to
log in via SSH with a password and a backup user who only needs to run
rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
prevent the user from logging in without the SSH key?

- Grant


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-02  6:33   ` Grant
@ 2013-07-02  6:39     ` Adam Carter
  2013-07-02  7:44     ` Alan McKinnon
  1 sibling, 0 replies; 8+ messages in thread
From: Adam Carter @ 2013-07-02  6:39 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

[-- Attachment #1: Type: text/plain, Size: 551 bytes --]

> > What about "PasswordAuthentication no"?
>
> Can that be set for a single user?  I have a normal user who needs to
> log in via SSH with a password and a backup user who only needs to run
> rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
> prevent the user from logging in without the SSH key?
>
> - Grant
>
>

# tail -n 5 /etc/ssh/sshd_config
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Also google scponly

[-- Attachment #2: Type: text/html, Size: 932 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-02  6:33   ` Grant
  2013-07-02  6:39     ` Adam Carter
@ 2013-07-02  7:44     ` Alan McKinnon
  2013-07-18 16:21       ` Grant
  1 sibling, 1 reply; 8+ messages in thread
From: Alan McKinnon @ 2013-07-02  7:44 UTC (permalink / raw
  To: gentoo-user

On 02/07/2013 08:33, Grant wrote:
>>> My backup user needs a shell on the backup server in order to execute
>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>> order to SSH in.  My authorized_keys file is locked-down.  The second
>>> field for the user in /etc/shadow is an exclamation point which I
>>> think means the user can not log in with a password.  Should I take
>>> any additional steps to prevent that user from logging in and not
>>> being subject to the authorized_keys restrictions?
>>
>> What about "PasswordAuthentication no"?
> 
> Can that be set for a single user?  I have a normal user who needs to
> log in via SSH with a password and a backup user who only needs to run
> rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
> prevent the user from logging in without the SSH key?

Depends.

The user doesn't have a Unix password, so if the system prompts for one
it cannot succeed and the login fails.

But sshd has other implementations for authentication to, not just
classic Unix. If it uses PAM, then PAM could in theory do anything, even
using AD to authenticate with a password.

So if your sshd config uses Unix passwords and keys ONLY (this is the
norm), then what you describe above does what you want. To be sure, you
need to audit sshd_config and your pam setup

-- 
Alan McKinnon
alan.mckinnon@gmail.com



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-02  7:44     ` Alan McKinnon
@ 2013-07-18 16:21       ` Grant
  2013-07-18 18:32         ` Alan McKinnon
  0 siblings, 1 reply; 8+ messages in thread
From: Grant @ 2013-07-18 16:21 UTC (permalink / raw
  To: gentoo-user

>>>> My backup user needs a shell on the backup server in order to execute
>>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>>> order to SSH in.  My authorized_keys file is locked-down.  The second
>>>> field for the user in /etc/shadow is an exclamation point which I
>>>> think means the user can not log in with a password.  Should I take
>>>> any additional steps to prevent that user from logging in and not
>>>> being subject to the authorized_keys restrictions?
>>>
>>> What about "PasswordAuthentication no"?
>>
>> Can that be set for a single user?  I have a normal user who needs to
>> log in via SSH with a password and a backup user who only needs to run
>> rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
>> prevent the user from logging in without the SSH key?
>
> Depends.
>
> The user doesn't have a Unix password, so if the system prompts for one
> it cannot succeed and the login fails.
>
> But sshd has other implementations for authentication to, not just
> classic Unix. If it uses PAM, then PAM could in theory do anything, even
> using AD to authenticate with a password.
>
> So if your sshd config uses Unix passwords and keys ONLY (this is the
> norm), then what you describe above does what you want. To be sure, you
> need to audit sshd_config and your pam setup

Here is my entire sshd_config:

PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AllowUsers user1 user2

That must be the Gentoo-default except for the last line, correct?
How is this config if I want user1 to login with a password and user2
has no password in /etc/shadow and automatically logs in via
authorized_keys to rsync?

- Grant


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-18 16:21       ` Grant
@ 2013-07-18 18:32         ` Alan McKinnon
  0 siblings, 0 replies; 8+ messages in thread
From: Alan McKinnon @ 2013-07-18 18:32 UTC (permalink / raw
  To: gentoo-user

On 18/07/2013 18:21, Grant wrote:
>>>>> My backup user needs a shell on the backup server in order to execute
>>>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>>>> order to SSH in.  My authorized_keys file is locked-down.  The second
>>>>> field for the user in /etc/shadow is an exclamation point which I
>>>>> think means the user can not log in with a password.  Should I take
>>>>> any additional steps to prevent that user from logging in and not
>>>>> being subject to the authorized_keys restrictions?
>>>>
>>>> What about "PasswordAuthentication no"?
>>>
>>> Can that be set for a single user?  I have a normal user who needs to
>>> log in via SSH with a password and a backup user who only needs to run
>>> rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
>>> prevent the user from logging in without the SSH key?
>>
>> Depends.
>>
>> The user doesn't have a Unix password, so if the system prompts for one
>> it cannot succeed and the login fails.
>>
>> But sshd has other implementations for authentication to, not just
>> classic Unix. If it uses PAM, then PAM could in theory do anything, even
>> using AD to authenticate with a password.
>>
>> So if your sshd config uses Unix passwords and keys ONLY (this is the
>> norm), then what you describe above does what you want. To be sure, you
>> need to audit sshd_config and your pam setup
> 
> Here is my entire sshd_config:
> 
> PasswordAuthentication no
> UsePAM yes
> PrintMotd no
> PrintLastLog no
> Subsystem sftp /usr/lib64/misc/sftp-server
> AllowUsers user1 user2
> 
> That must be the Gentoo-default except for the last line, correct?
> How is this config if I want user1 to login with a password and user2
> has no password in /etc/shadow and automatically logs in via
> authorized_keys to rsync?


Gentoo default uses a conventional PAM setup so set

PasswordAuthentication yes
PubkeyAuthentication yes

and it should work.

I don't know of any way to configure per-user auth types in sshd_config
itself, so I recommend you define exactly what you want to accomplish:

do you want to give one user a password and no key, and the other user a
key but no password, and have it just work regardless? This would be the
"convenience" approach

or do you want to enforce the auth method that a specific user must use?
This would be the "security" approach and is considerably more difficult



-- 
Alan McKinnon
alan.mckinnon@gmail.com



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-user] Locking down a user with a shell account and SSH access
  2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
  2013-07-01 23:34 ` Neil Bothwick
@ 2013-07-18 19:58 ` Paul Hartman
  1 sibling, 0 replies; 8+ messages in thread
From: Paul Hartman @ 2013-07-18 19:58 UTC (permalink / raw
  To: gentoo-user

On Mon, Jul 1, 2013 at 6:24 PM, Grant <emailgrant@gmail.com> wrote:
> My backup user needs a shell on the backup server in order to execute
> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
> order to SSH in.  My authorized_keys file is locked-down.  The second
> field for the user in /etc/shadow is an exclamation point which I
> think means the user can not log in with a password.  Should I take
> any additional steps to prevent that user from logging in and not
> being subject to the authorized_keys restrictions?

There are a few distinct problems and solutions that come to mind.
Here's my take as an uncertified non-expert:

Problem: I want different SSHD config for different users
Solution: use the "Match" directive in sshd_config (as Adam already
pointed out) and enable or disable password authentication for users
who are exceptions to the system-wide setting

Problem: I don't want the backup user to be able to login using a
password anywhere except ssh
Solution 1: set the password to an * in /etc/shadow (disabled password
login permanently)
Solution 2: prefix the existing password with an ! in /etc/shadow
(this disables pw login temporarily, remove the ! to restore the
password)
Solution 3: set the user's shell to /sbin/nologin in /etc/passwd
Note: there are slight differences between these approaches, see "man
5 passwd" for details

Problem: backup user should only be allowed to run the rsync command
Solution 1: set a forced command in sshd_config for that user
Solution 2: set a forced command in authorized_keys for that key

I think if you combine that with what you've already done, that user
should be well and truly locked down. That is based on using the
standard Gentoo configuration... I'm sure there are 1000 different
ways to do it and probably a lot of them better than what I suggested,
so take it FWIW. :)


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2013-07-18 19:58 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
2013-07-01 23:34 ` Neil Bothwick
2013-07-02  6:33   ` Grant
2013-07-02  6:39     ` Adam Carter
2013-07-02  7:44     ` Alan McKinnon
2013-07-18 16:21       ` Grant
2013-07-18 18:32         ` Alan McKinnon
2013-07-18 19:58 ` Paul Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox