LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-21-2013, 12:22 AM   #1
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 356

Rep: Reputation: 38
Question sshd configutation | Force a particular user to use passwordless auth only


Is it possible to force a particular user only to user passwordless authentication for ssh? Similar for root

Code:
PermitRootLogin without-password
but for a normal user only?
 
Old 02-21-2013, 12:43 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,402
Blog Entries: 33

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Why would you ever want a passwordless auth? This sounds like you're opening yourself up for a whole can of worms on the internet.

If you mean accessing the system using public keys (without having to utilize a password) then that is a different story. Just google "key auth ssh".

In general it is recommended to *not* permit root login over ssh as it is a common attack vector for brute forcing ssh. In this scenario, it's best to set up a user with sudo, use pkauth for the connection, and then "sudo su -" to log into root or the like.

Perhaps elaborate what you're trying to accomplish; Because your question doesn't sound sane and needs a better explanation.

Last edited by sag47; 02-21-2013 at 12:44 AM.
 
Old 02-21-2013, 01:11 AM   #3
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 356

Original Poster
Rep: Reputation: 38
Ok, it looks like I was unable to describe what I am trying to accomplish.

I have a user called bigboy with a password password. This bigboy should not be able to log in using password over SSH but should be able to log in using key based authentication over SSH. This is the requirement.

Now there are a bunch of other users smallboy, littleboy, bullyboy who should be able to log in using password over SSH.
 
Old 02-21-2013, 01:45 AM   #4
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,402
Blog Entries: 33

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Just set a new password for bigboy (I tend to use uuidgen to generate a password). As long as authorized_keys is set up bigboy will have access even after you change the password.
 
Old 02-21-2013, 02:26 AM   #5
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 356

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by sag47 View Post
Just set a new password for bigboy (I tend to use uuidgen to generate a password). As long as authorized_keys is set up bigboy will have access even after you change the password.
Well the requirements are
  • bigboy should have a password
  • su - bigboy should work using the password locally
  • bigboy should not be able to login over ssh using password
  • bigboy should be able to login over ssh using key based auth

So what is important here is preventing bigboy to login over ssh using password but letting him log in using key based auth.
 
Old 02-21-2013, 02:56 AM   #6
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,402
Blog Entries: 33

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Use the Match conditional block in sshd_config to specify user or group specific settings (see man sshd_config under Match). You could append something like the following at the bottom of your sshd_config.
Code:
Match User bigboy
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes
Or you could create a group called keyonly and add bigboy to it.
Code:
groupadd keyonly
usermod -a -G keyonly bigboy
At the bottom of sshd_config add...
Code:
Match Group keyonly
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes

Last edited by sag47; 02-21-2013 at 03:00 AM.
 
1 members found this post helpful.
Old 02-21-2013, 03:09 AM   #7
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 356

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by sag47 View Post
Use the Match conditional block in sshd_config to specify user or group specific settings (see man sshd_config under Match). You could append something like the following at the bottom of your sshd_config.
Code:
Match User bigboy
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes
Or you could create a group called keyonly and add bigboy to it.
Code:
groupadd keyonly
usermod -a -G keyonly bigboy
At the bottom of sshd_config add...
Code:
Match Group keyonly
  PasswordAuthentication no
  PermitEmptyPasswords no
  PubkeyAuthentication yes
  RSAAuthentication yes
You are legend. Thank you!!!
 
  


Reply

Tags
ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] vsftpd with SSL auth but force plain data pantzir Linux - Server 1 08-26-2010 10:45 PM
syslog-ng setup (for sshd and auth) m15a4 Linux - Security 12 02-17-2006 01:53 AM
FC4-Starting sshd: Privilege separation user sshd does not exist FAILED kiranherekar Fedora 5 12-29-2005 02:22 PM
SSH: Can I force RSA auth for all but one account? LeoNot Linux - Security 1 07-10-2005 11:55 AM


All times are GMT -5. The time now is 09:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration