| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
02-21-2013, 12:22 AM
|
#1
|
|
Member
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 350
Rep: 
|
sshd configutation | Force a particular user to use passwordless auth only
Is it possible to force a particular user only to user passwordless authentication for ssh? Similar for root
Code:
PermitRootLogin without-password
but for a normal user only? |
|
|
|
|
02-21-2013, 12:43 AM
|
#2
|
|
Senior Member
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,057
|
Why would you ever want a passwordless auth? This sounds like you're opening yourself up for a whole can of worms on the internet.
If you mean accessing the system using public keys (without having to utilize a password) then that is a different story. Just google "key auth ssh".
In general it is recommended to *not* permit root login over ssh as it is a common attack vector for brute forcing ssh. In this scenario, it's best to set up a user with sudo, use pkauth for the connection, and then "sudo su -" to log into root or the like.
Perhaps elaborate what you're trying to accomplish; Because your question doesn't sound sane and needs a better explanation.
Last edited by sag47; 02-21-2013 at 12:44 AM.
|
|
|
|
|
02-21-2013, 01:11 AM
|
#3
|
|
Member
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 350
Original Poster
Rep:
|
Ok, it looks like I was unable to describe what I am trying to accomplish.
I have a user called bigboy with a password password. This bigboy should not be able to log in using password over SSH but should be able to log in using key based authentication over SSH. This is the requirement.
Now there are a bunch of other users smallboy, littleboy, bullyboy who should be able to log in using password over SSH.
|
|
|
|
|
02-21-2013, 01:45 AM
|
#4
|
|
Senior Member
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,057
|
Just set a new password for bigboy (I tend to use uuidgen to generate a password). As long as authorized_keys is set up bigboy will have access even after you change the password.
|
|
|
|
|
02-21-2013, 02:26 AM
|
#5
|
|
Member
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 350
Original Poster
Rep:
|
Quote:
Originally Posted by sag47
Just set a new password for bigboy (I tend to use uuidgen to generate a password). As long as authorized_keys is set up bigboy will have access even after you change the password.
|
Well the requirements are
- bigboy should have a password
- su - bigboy should work using the password locally
- bigboy should not be able to login over ssh using password
- bigboy should be able to login over ssh using key based auth
So what is important here is preventing bigboy to login over ssh using password but letting him log in using key based auth. |
|
|
|
|
02-21-2013, 02:56 AM
|
#6
|
|
Senior Member
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,057
|
Use the Match conditional block in sshd_config to specify user or group specific settings (see man sshd_config under Match). You could append something like the following at the bottom of your sshd_config.
Code:
Match User bigboy
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
RSAAuthentication yes
Or you could create a group called keyonly and add bigboy to it.
Code:
groupadd keyonly
usermod -a -G keyonly bigboy
At the bottom of sshd_config add...
Code:
Match Group keyonly
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
RSAAuthentication yes
Last edited by sag47; 02-21-2013 at 03:00 AM.
|
|
|
1 members found this post helpful.
|
|
02-21-2013, 03:09 AM
|
#7
|
|
Member
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 350
Original Poster
Rep:
|
Quote:
Originally Posted by sag47
Use the Match conditional block in sshd_config to specify user or group specific settings (see man sshd_config under Match). You could append something like the following at the bottom of your sshd_config.
Code:
Match User bigboy
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
RSAAuthentication yes
Or you could create a group called keyonly and add bigboy to it.
Code:
groupadd keyonly
usermod -a -G keyonly bigboy
At the bottom of sshd_config add...
Code:
Match Group keyonly
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
RSAAuthentication yes
|
You are legend. Thank you!!! |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 12:44 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
