[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-user
Subject:    Re: [gentoo-user] Locking down a user with a shell account and SSH access
From:       Grant <emailgrant () gmail ! com>
Date:       2013-07-18 16:21:24
Message-ID: CAN0CFw3cqFLjKOb66jftpff8KmjzCF5zpD1T-2hQxqcVJR5RQg () mail ! gmail ! com
[Download RAW message or body]

>>>> My backup user needs a shell on the backup server in order to execute
>>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in
>>>> order to SSH in.  My authorized_keys file is locked-down.  The second
>>>> field for the user in /etc/shadow is an exclamation point which I
>>>> think means the user can not log in with a password.  Should I take
>>>> any additional steps to prevent that user from logging in and not
>>>> being subject to the authorized_keys restrictions?
>>>
>>> What about "PasswordAuthentication no"?
>>
>> Can that be set for a single user?  I have a normal user who needs to
>> log in via SSH with a password and a backup user who only needs to run
>> rsync via SSH keys.  If not, does the exclamation point in /etc/shadow
>> prevent the user from logging in without the SSH key?
>
> Depends.
>
> The user doesn't have a Unix password, so if the system prompts for one
> it cannot succeed and the login fails.
>
> But sshd has other implementations for authentication to, not just
> classic Unix. If it uses PAM, then PAM could in theory do anything, even
> using AD to authenticate with a password.
>
> So if your sshd config uses Unix passwords and keys ONLY (this is the
> norm), then what you describe above does what you want. To be sure, you
> need to audit sshd_config and your pam setup

Here is my entire sshd_config:

PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AllowUsers user1 user2

That must be the Gentoo-default except for the last line, correct?
How is this config if I want user1 to login with a password and user2
has no password in /etc/shadow and automatically logs in via
authorized_keys to rsync?

- Grant

[prev in list] [next in list] [prev in thread] [next in thread]