On 18/07/2013 18:21, Grant wrote: >>>>> My backup user needs a shell on the backup server in order to execute >>>>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in >>>>> order to SSH in. My authorized_keys file is locked-down. The second >>>>> field for the user in /etc/shadow is an exclamation point which I >>>>> think means the user can not log in with a password. Should I take >>>>> any additional steps to prevent that user from logging in and not >>>>> being subject to the authorized_keys restrictions? >>>> >>>> What about "PasswordAuthentication no"? >>> >>> Can that be set for a single user? I have a normal user who needs to >>> log in via SSH with a password and a backup user who only needs to run >>> rsync via SSH keys. If not, does the exclamation point in /etc/shadow >>> prevent the user from logging in without the SSH key? >> >> Depends. >> >> The user doesn't have a Unix password, so if the system prompts for one >> it cannot succeed and the login fails. >> >> But sshd has other implementations for authentication to, not just >> classic Unix. If it uses PAM, then PAM could in theory do anything, even >> using AD to authenticate with a password. >> >> So if your sshd config uses Unix passwords and keys ONLY (this is the >> norm), then what you describe above does what you want. To be sure, you >> need to audit sshd_config and your pam setup > > Here is my entire sshd_config: > > PasswordAuthentication no > UsePAM yes > PrintMotd no > PrintLastLog no > Subsystem sftp /usr/lib64/misc/sftp-server > AllowUsers user1 user2 > > That must be the Gentoo-default except for the last line, correct? > How is this config if I want user1 to login with a password and user2 > has no password in /etc/shadow and automatically logs in via > authorized_keys to rsync?
Gentoo default uses a conventional PAM setup so set PasswordAuthentication yes PubkeyAuthentication yes and it should work. I don't know of any way to configure per-user auth types in sshd_config itself, so I recommend you define exactly what you want to accomplish: do you want to give one user a password and no key, and the other user a key but no password, and have it just work regardless? This would be the "convenience" approach or do you want to enforce the auth method that a specific user must use? This would be the "security" approach and is considerably more difficult -- Alan McKinnon [email protected]
