public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Locking down a user with a shell account and SSH access
Date: Thu, 18 Jul 2013 20:32:55 +0200	[thread overview]
Message-ID: <51E834D7.9020403@gmail.com> (raw)
In-Reply-To: <CAN0CFw3cqFLjKOb66jftpff8KmjzCF5zpD1T-2hQxqcVJR5RQg@mail.gmail.com>

On 18/07/2013 18:21, Grant wrote:
>>>>> My backup user needs a shell on the backup server in order to execute
>>>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>>>> order to SSH in.  My authorized_keys file is locked-down.  The second
>>>>> field for the user in /etc/shadow is an exclamation point which I
>>>>> think means the user can not log in with a password.  Should I take
>>>>> any additional steps to prevent that user from logging in and not
>>>>> being subject to the authorized_keys restrictions?
>>>>
>>>> What about "PasswordAuthentication no"?
>>>
>>> Can that be set for a single user?  I have a normal user who needs to
>>> log in via SSH with a password and a backup user who only needs to run
>>> rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
>>> prevent the user from logging in without the SSH key?
>>
>> Depends.
>>
>> The user doesn't have a Unix password, so if the system prompts for one
>> it cannot succeed and the login fails.
>>
>> But sshd has other implementations for authentication to, not just
>> classic Unix. If it uses PAM, then PAM could in theory do anything, even
>> using AD to authenticate with a password.
>>
>> So if your sshd config uses Unix passwords and keys ONLY (this is the
>> norm), then what you describe above does what you want. To be sure, you
>> need to audit sshd_config and your pam setup
> 
> Here is my entire sshd_config:
> 
> PasswordAuthentication no
> UsePAM yes
> PrintMotd no
> PrintLastLog no
> Subsystem sftp /usr/lib64/misc/sftp-server
> AllowUsers user1 user2
> 
> That must be the Gentoo-default except for the last line, correct?
> How is this config if I want user1 to login with a password and user2
> has no password in /etc/shadow and automatically logs in via
> authorized_keys to rsync?


Gentoo default uses a conventional PAM setup so set

PasswordAuthentication yes
PubkeyAuthentication yes

and it should work.

I don't know of any way to configure per-user auth types in sshd_config
itself, so I recommend you define exactly what you want to accomplish:

do you want to give one user a password and no key, and the other user a
key but no password, and have it just work regardless? This would be the
"convenience" approach

or do you want to enforce the auth method that a specific user must use?
This would be the "security" approach and is considerably more difficult



-- 
Alan McKinnon
alan.mckinnon@gmail.com



  reply	other threads:[~2013-07-18 18:35 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
2013-07-01 23:34 ` Neil Bothwick
2013-07-02  6:33   ` Grant
2013-07-02  6:39     ` Adam Carter
2013-07-02  7:44     ` Alan McKinnon
2013-07-18 16:21       ` Grant
2013-07-18 18:32         ` Alan McKinnon [this message]
2013-07-18 19:58 ` Paul Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51E834D7.9020403@gmail.com \
    --to=alan.mckinnon@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox