I'm running OpenSSH 3.4 and have the situation that some users want to allow password authentication into their accounts and some explicitly want to disallow password authentication. Is this possible? I wasn't able to come up with a way looking through ssh_config and sshd_config, as well as some FAQs. It seems the problem is that there is no scoping of directives in sshd_config, thus PasswordAuthentication is global for all users. Alternatively it seems like sshd should be able to check some file ~/.ssh/sshd_config for such an option. Any help would be greatly appreciated. Thanks, -David Grimes <grimes _at_ cs.washington.edu>
On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote:> I'm running OpenSSH 3.4 and have the situation that some users want to > allow password authentication into their accounts and some explicitly > want to disallow password authentication. Is this possible? I wasn't > able to come up with a way looking through ssh_config and sshd_config, > as well as some FAQs. > > It seems the problem is that there is no scoping of directives in sshd_config, > thus PasswordAuthentication is global for all users. Alternatively it seems > like sshd should be able to check some file ~/.ssh/sshd_config for such an > option.If you're using PAM, and you are willing to do some admin for each user (rather than self-admin), you can use a PAM module which reads a file containing a list of users that cannot login. The overhead is you have to add users to that list, although you could script this easily (for user in /home/*; do cd $user; if -f .ssh_nopwlogin; then addtolist; fi; done). I think Linux-PAM ships with pam_listfile.so to do this. Users doing pubkey auth will still be able to login. If you're not willing to do the admin piece, then you can just lock those users accounts, this typically prefaces their crypted passwd entry with '!' thereby disabling password auth. However, this will break as PAM modules are fixed to check this in the account module. (Since the pubkey path correctly still does a PAM 'account' check.) I think Solaris 9 has this fixed, for one. The first solution is the better of the two, IMHO. Other solutions (non-PAM) will depend on your OS. /fc
On Mon, Oct 28, 2002 at 10:10:49PM -0800, David Grimes wrote:> I'm running OpenSSH 3.4 and have the situation that some users want to > allow password authentication into their accounts and some explicitly > want to disallow password authentication. Is this possible? I wasn't > able to come up with a way looking through ssh_config and sshd_config, > as well as some FAQs. > > It seems the problem is that there is no scoping of directives in sshd_config, > thus PasswordAuthentication is global for all users. Alternatively it seems > like sshd should be able to check some file ~/.ssh/sshd_config for such an > option. > > Any help would be greatly appreciated.this depends on your operating system support for these kinds of things and should be possible with BSD_AUTH on OpenBSD or BSD/OS, but i you are not using BSD_AUTH. perhaps PAM can do the same.
Reasonably Related Threads
- R usage -- for article
- Problem with using both pam_listfile to deny logins and pubkey authentication
- secuirty bug with /etc/login.access
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
- Questions about sshd_config man page and comments in the file