[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-user
Subject:    [gentoo-user] sshd Authentication Restrictions
From:       Josh Cepek <josh.cepek () usa ! net>
Date:       2007-10-30 15:42:48
Message-ID: 472750F8.7090600 () usa ! net
[Download RAW message or body]

I want to harden my ssh server by restricting most users to Public Key
authentication only.  I can set "ChallengeResponseAuthentication no" in
the config file, but I can't figure out how to then allow a user or
group within a Match section to use Keyboard-Interactive authentication.
 "ChallengeResponseAuthentication" is not valid within a Match section.
 When this directive is added globally there seems to be no way to
enable it again under a Match section.  I also tried to set the global
option "KbdInteractiveAuthentication no", but this doesn't seem to be
valid outside of a Match section since users can connect without public
keys (the sshd process does accept this option, but it doesn't seem to
actually do anything outside of a Match section.)

At this point the only way I've found to do what I want is to add all
users I want to restrict to a group, create a Match section for this
group, and use the directive "KbdInteractiveAuthentication no".  While
this works, I'd like to know if there is a way I can disable it as part
of the global sshd config and enable this authentication only for
specific users.

Thanks for any ideas.

--=20
Josh


["signature.asc" (application/pgp-signature)]
-- 
gentoo-user@gentoo.org mailing list


[prev in list] [next in list] [prev in thread] [next in thread]