Michael Gale wrote:
Hello,
I have been able to restrict an account using options in the
authorized_keys file:
--snip--
from="*",command="/usr/local/bin/jcmenu",no-port-forwarding,no-X11-forwarding,no-agent-forwarding
ssh-rsa AAAA......
--snip--
However password based logins are currently allowed on the system and
can not be turned off :( Is there a way to have the above restrictions
in place regardless of the authentication method ?
openssh-3.9p1-8.RHEL4.4
Not with that version. You can disable some globally (eg X11Forwarding)
but there's no equivalent to others (eg command=) there's no way to
restrict individual users.
In current versions of OpenSSH there's an additional keyword "Match"
that allows you to apply directives in sshd_config on a per-user (or per
group or per host) basis. There's also a new directive "ForceCommand"
which is equivalent to the "command=" key restriction.
So assuming the user you want to restrict is "someuser", you could add
this to the bottom of your sshd_config file:
Match User someuser
ForceCommand /usr/local/bin/jcmenu
AllowTcpForwarding no
X11Forwarding no
There's no equivalent to "no-agent-forwarding" but it would not be hard
to add.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
