public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Paul Hartman <paul.hartman+gentoo@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Locking down a user with a shell account and SSH access
Date: Thu, 18 Jul 2013 14:58:09 -0500	[thread overview]
Message-ID: <CAEH5T2P79mzCcPTqyxKW8nT7iv3VcEzE01kCoXaK6w8iUeHXGA@mail.gmail.com> (raw)
In-Reply-To: <CAN0CFw0fijDtZ5XZFnrD_cd5L7k+jr=EL8D8am_NJPthv3hWYg@mail.gmail.com>

On Mon, Jul 1, 2013 at 6:24 PM, Grant <emailgrant@gmail.com> wrote:
> My backup user needs a shell on the backup server in order to execute
> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
> order to SSH in.  My authorized_keys file is locked-down.  The second
> field for the user in /etc/shadow is an exclamation point which I
> think means the user can not log in with a password.  Should I take
> any additional steps to prevent that user from logging in and not
> being subject to the authorized_keys restrictions?

There are a few distinct problems and solutions that come to mind.
Here's my take as an uncertified non-expert:

Problem: I want different SSHD config for different users
Solution: use the "Match" directive in sshd_config (as Adam already
pointed out) and enable or disable password authentication for users
who are exceptions to the system-wide setting

Problem: I don't want the backup user to be able to login using a
password anywhere except ssh
Solution 1: set the password to an * in /etc/shadow (disabled password
login permanently)
Solution 2: prefix the existing password with an ! in /etc/shadow
(this disables pw login temporarily, remove the ! to restore the
password)
Solution 3: set the user's shell to /sbin/nologin in /etc/passwd
Note: there are slight differences between these approaches, see "man
5 passwd" for details

Problem: backup user should only be allowed to run the rsync command
Solution 1: set a forced command in sshd_config for that user
Solution 2: set a forced command in authorized_keys for that key

I think if you combine that with what you've already done, that user
should be well and truly locked down. That is based on using the
standard Gentoo configuration... I'm sure there are 1000 different
ways to do it and probably a lot of them better than what I suggested,
so take it FWIW. :)


      parent reply	other threads:[~2013-07-18 19:58 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-01 23:24 [gentoo-user] Locking down a user with a shell account and SSH access Grant
2013-07-01 23:34 ` Neil Bothwick
2013-07-02  6:33   ` Grant
2013-07-02  6:39     ` Adam Carter
2013-07-02  7:44     ` Alan McKinnon
2013-07-18 16:21       ` Grant
2013-07-18 18:32         ` Alan McKinnon
2013-07-18 19:58 ` Paul Hartman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAEH5T2P79mzCcPTqyxKW8nT7iv3VcEzE01kCoXaK6w8iUeHXGA@mail.gmail.com \
    --to=paul.hartman+gentoo@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox