Hello all, I am trying to setup my bsd box so some users can transparently (with a key and no prompt for username/password) connect to it.
I also want my users can connect to this host without getting any shell but I encounter some problems to configure this. I created a user 'vincent' that I configure as locked and without any shell. [EMAIL PROTECTED] [/usr/local/etc/ssh] # grep vincent /etc/master.passwd vincent:*LOCKED**:1002:1002::0:0::/home/vincent:/nonexistent This is also my current ssh daemon config : [EMAIL PROTECTED] [/usr/local/etc/ssh] # cat sshd_config # $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 8022 Protocol 2 ListenAddress 10.66.1.2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 6 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes AllowTcpForwarding no GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes PrintLastLog yes TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation yes PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 UseDNS yes PidFile /var/run/opensshd.pid MaxStartups 10 # no default banner path #Banner /etc/issue # override default of no subsystems #Subsystem sftp /usr/libexec/sftp-server If I configure a shell for the user, everything is working fine if I remove the shell by setting '/nonexistent' I get this error message : [EMAIL PROTECTED] [/home/vincent/.ssh] # ssh -T -l vincent -i id_rsa 10.66.1.2 -p 8022 Permission denied (publickey,keyboard-interactive). [EMAIL PROTECTED] [/home/vincent/.ssh] # If I try to use '/sbin/nologin' I get this error message: [EMAIL PROTECTED] [/home/vincent/.ssh] # ssh -T -l vincent -i id_rsa 10.66.1.2 -p 8022 This account is currently not available. So is there a way to configure an ssh box so somebody can only connect to it without getting any prompt (User/password , this is already configured ....) by only using RSA private keys ( this is also ok ) and without getting any shell ? Regards Vincent
