LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   sshd configutation | Force a particular user to use passwordless auth only (http://www.linuxquestions.org/questions/linux-server-73/sshd-configutation-%7C-force-a-particular-user-to-use-passwordless-auth-only-4175451052/)

the_gripmaster 02-21-2013 12:22 AM

sshd configutation | Force a particular user to use passwordless auth only
 
Is it possible to force a particular user only to user passwordless authentication for ssh? Similar for root

Code:

PermitRootLogin without-password
but for a normal user only?

sag47 02-21-2013 12:43 AM

Why would you ever want a passwordless auth? This sounds like you're opening yourself up for a whole can of worms on the internet.

If you mean accessing the system using public keys (without having to utilize a password) then that is a different story. Just google "key auth ssh".

In general it is recommended to *not* permit root login over ssh as it is a common attack vector for brute forcing ssh. In this scenario, it's best to set up a user with sudo, use pkauth for the connection, and then "sudo su -" to log into root or the like.

Perhaps elaborate what you're trying to accomplish; Because your question doesn't sound sane and needs a better explanation.

the_gripmaster 02-21-2013 01:11 AM

Ok, it looks like I was unable to describe what I am trying to accomplish.

I have a user called bigboy with a password password. This bigboy should not be able to log in using password over SSH but should be able to log in using key based authentication over SSH. This is the requirement.

Now there are a bunch of other users smallboy, littleboy, bullyboy who should be able to log in using password over SSH.

sag47 02-21-2013 01:45 AM

Just set a new password for bigboy (I tend to use uuidgen to generate a password). As long as authorized_keys is set up bigboy will have access even after you change the password.

the_gripmaster 02-21-2013 02:26 AM

Quote:

Originally Posted by sag47 (Post 4896487)
Just set a new password for bigboy (I tend to use uuidgen to generate a password). As long as authorized_keys is set up bigboy will have access even after you change the password.

Well the requirements are
  • bigboy should have a password
  • su - bigboy should work using the password locally
  • bigboy should not be able to login over ssh using password
  • bigboy should be able to login over ssh using key based auth

So what is important here is preventing bigboy to login over ssh using password but letting him log in using key based auth.

sag47 02-21-2013 02:56 AM

Use the Match conditional block in sshd_config to specify user or group specific settings (see man sshd_config under Match). You could append something like the following at the bottom of your sshd_config.
Code:

Match User bigboy
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes

Or you could create a group called keyonly and add bigboy to it.
Code:

groupadd keyonly
usermod -a -G keyonly bigboy

At the bottom of sshd_config add...
Code:

Match Group keyonly
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes


the_gripmaster 02-21-2013 03:09 AM

Quote:

Originally Posted by sag47 (Post 4896513)
Use the Match conditional block in sshd_config to specify user or group specific settings (see man sshd_config under Match). You could append something like the following at the bottom of your sshd_config.
Code:

Match User bigboy
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes

Or you could create a group called keyonly and add bigboy to it.
Code:

groupadd keyonly
usermod -a -G keyonly bigboy

At the bottom of sshd_config add...
Code:

Match Group keyonly
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes


You are legend. Thank you!!!


All times are GMT -5. The time now is 03:18 AM.