Create a simple perl script:
#!/usr/bin/perl
while(1) { sleep(3600); }
make it executable: chmod 755 /path/to/script.pl
and set it as the user's shell... thus the user will be connected, but
won't be able to do anything...
Regards,
Ventsi
On 3/18/06, Vincent Blondel <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I am trying to setup my bsd box so some users can transparently (with a
> key and no prompt for username/password) connect to it.
>
> I also want my users can connect to this host without getting any shell
> but I encounter some problems to configure this.
>
> I created a user 'vincent' that I configure as locked and without any
> shell.
>
> [EMAIL PROTECTED] [/usr/local/etc/ssh] # grep vincent /etc/master.passwd
> vincent:*LOCKED**:1002:1002::0:0::/home/vincent:/nonexistent
>
> This is also my current ssh daemon config :
>
> [EMAIL PROTECTED] [/usr/local/etc/ssh] # cat sshd_config
> # $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> Port 8022
> Protocol 2
> ListenAddress 10.66.1.2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 2m
> PermitRootLogin no
> StrictModes yes
> MaxAuthTries 6
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys
> in /etc/ssh/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> AllowTcpForwarding no
> GatewayPorts no
> X11Forwarding no
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> PrintMotd yes
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> PermitUserEnvironment no
> #Compression yes
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> UseDNS yes
> PidFile /var/run/opensshd.pid
> MaxStartups 10
>
> # no default banner path
> #Banner /etc/issue
>
> # override default of no subsystems
> #Subsystem sftp /usr/libexec/sftp-server
>
>
> If I configure a shell for the user, everything is working fine if I
> remove the shell by setting '/nonexistent' I get this error message :
>
> [EMAIL PROTECTED] [/home/vincent/.ssh] # ssh -T -l vincent -i id_rsa
> 10.66.1.2 -p 8022
> Permission denied (publickey,keyboard-interactive).
> [EMAIL PROTECTED] [/home/vincent/.ssh] #
>
> If I try to use '/sbin/nologin' I get this error message:
>
> [EMAIL PROTECTED] [/home/vincent/.ssh] # ssh -T -l vincent -i id_rsa
> 10.66.1.2 -p 8022
> This account is currently not available.
>
> So is there a way to configure an ssh box so somebody can only connect
> to it without getting any prompt (User/password , this is already
> configured ....) by only using RSA private keys ( this is also ok ) and
> without getting any shell ?
>
> Regards
> Vincent
>
>
