From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Locking down a user with a shell account and SSH access
Date: Thu, 18 Jul 2013 20:32:55 +0200 [thread overview]
Message-ID: <51E834D7.9020403@gmail.com> (raw)
In-Reply-To: <CAN0CFw3cqFLjKOb66jftpff8KmjzCF5zpD1T-2hQxqcVJR5RQg@mail.gmail.com>
On 18/07/2013 18:21, Grant wrote:
>>>>> My backup user needs a shell on the backup server in order to execute
>>>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>>>> order to SSH in. My authorized_keys file is locked-down. The second
>>>>> field for the user in /etc/shadow is an exclamation point which I
>>>>> think means the user can not log in with a password. Should I take
>>>>> any additional steps to prevent that user from logging in and not
>>>>> being subject to the authorized_keys restrictions?
>>>>
>>>> What about "PasswordAuthentication no"?
>>>
>>> Can that be set for a single user? I have a normal user who needs to
>>> log in via SSH with a password and a backup user who only needs to run
>>> rsync via SSH keys. If not, does the exclamation point in /etc/shadow
>>> prevent the user from logging in without the SSH key?
>>
>> Depends.
>>
>> The user doesn't have a Unix password, so if the system prompts for one
>> it cannot succeed and the login fails.
>>
>> But sshd has other implementations for authentication to, not just
>> classic Unix. If it uses PAM, then PAM could in theory do anything, even
>> using AD to authenticate with a password.
>>
>> So if your sshd config uses Unix passwords and keys ONLY (this is the
>> norm), then what you describe above does what you want. To be sure, you
>> need to audit sshd_config and your pam setup
>
> Here is my entire sshd_config:
>
> PasswordAuthentication no
> UsePAM yes
> PrintMotd no
> PrintLastLog no
> Subsystem sftp /usr/lib64/misc/sftp-server
> AllowUsers user1 user2
>
> That must be the Gentoo-default except for the last line, correct?
> How is this config if I want user1 to login with a password and user2
> has no password in /etc/shadow and automatically logs in via
> authorized_keys to rsync?
Gentoo default uses a conventional PAM setup so set
PasswordAuthentication yes
PubkeyAuthentication yes
and it should work.
I don't know of any way to configure per-user auth types in sshd_config
itself, so I recommend you define exactly what you want to accomplish:
do you want to give one user a password and no key, and the other user a
key but no password, and have it just work regardless? This would be the
"convenience" approach
or do you want to enforce the auth method that a specific user must use?
This would be the "security" approach and is considerably more difficult
--
Alan McKinnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2013-07-18 18:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
2013-07-01 23:34 ` Neil Bothwick
2013-07-02 6:33 ` Grant
2013-07-02 6:39 ` Adam Carter
2013-07-02 7:44 ` Alan McKinnon
2013-07-18 16:21 ` Grant
2013-07-18 18:32 ` Alan McKinnon [this message]
2013-07-18 19:58 ` Paul Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51E834D7.9020403@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox