>>>> My backup user needs a shell on the backup server in order to execute >>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in >>>> order to SSH in. My authorized_keys file is locked-down. The second >>>> field for the user in /etc/shadow is an exclamation point which I >>>> think means the user can not log in with a password. Should I take >>>> any additional steps to prevent that user from logging in and not >>>> being subject to the authorized_keys restrictions? >>> >>> What about "PasswordAuthentication no"? >> >> Can that be set for a single user? I have a normal user who needs to >> log in via SSH with a password and a backup user who only needs to run >> rsync via SSH keys. If not, does the exclamation point in /etc/shadow >> prevent the user from logging in without the SSH key? > > Depends. > > The user doesn't have a Unix password, so if the system prompts for one > it cannot succeed and the login fails. > > But sshd has other implementations for authentication to, not just > classic Unix. If it uses PAM, then PAM could in theory do anything, even > using AD to authenticate with a password. > > So if your sshd config uses Unix passwords and keys ONLY (this is the > norm), then what you describe above does what you want. To be sure, you > need to audit sshd_config and your pam setup
Here is my entire sshd_config: PasswordAuthentication no UsePAM yes PrintMotd no PrintLastLog no Subsystem sftp /usr/lib64/misc/sftp-server AllowUsers user1 user2 That must be the Gentoo-default except for the last line, correct? How is this config if I want user1 to login with a password and user2 has no password in /etc/shadow and automatically logs in via authorized_keys to rsync? - Grant
