openssh unix dev - Jun 2009 - ssh as root with and without private key

Hi.

I have a client machine using ssh as root via key authorization to a 
server. The client uses rsync to send backup data to the server. I 
use ForceCommand to allow only this activity when using key 
authorization.

But I also want to be able to ssh as root with a required password to 
do whatever I like.

So I thought that in addition to root, I'd make a rootback account:

   root:x:0:0:root:/root:/bin/bash
   rootback:x:0:0:root:/root:/bin/bash

(Entries in /etc/shadow are required for both, turns out.)

In sshd_conf I have this

   Match User rootback
           PermitRootLogin yes
           ForceCommand /root/bin/dobackup
   Match User root
           PermitRootLogin yes
   Match

When I
   ssh -l rootback host whatever
it runs the dobackup script.

However, when I run
   ssh -l root host date
it logs me in without asking for a password and runs date.

So close. But not right.

Is there a way to get what I want?

I'm running
   openssh.x86_64 5.2p1-2.fc11
on Fedora 11

Thanks

Dave

Dave Yost wrote:
[...]
> In sshd_conf I have this
> 
>   Match User rootback
>           PermitRootLogin yes
>           ForceCommand /root/bin/dobackup
>   Match User root
>           PermitRootLogin yes
>   Match
Is there something missing here?
> When I
>   ssh -l rootback host whatever
> it runs the dobackup script.
> 
> However, when I run
>   ssh -l root host date
> it logs me in without asking for a password and runs date.
> 
> So close. But not right.
> 
> Is there a way to get what I want?
You want to disallow public-key authentications for root but not rootback?

Does adding "PubkeyAuthentication no" to the "Match User
root" section
do it?  (You'd probably want to add the other passwordless authmethods 
to the list to, eg rsa (protocol 1) gssapi hostbased rhostsrsa and so 
forth).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Dave,

Maybe I'm missing something here... but why don't you just use the
"command=" option in authorized_keys?  Then just force the backup key
to
only run /root/bin/dobackup, but add your own key without that restriction?

--Bob

On Mon, Jun 1, 2009 at 1:01 AM, Dave Yost <Dave at yost.com> wrote:
> Hi.
>
> I have a client machine using ssh as root via key authorization to a
> server. The client uses rsync to send backup data to the server. I use
> ForceCommand to allow only this activity when using key authorization.
>
> But I also want to be able to ssh as root with a required password to do
> whatever I like.
>
> So I thought that in addition to root, I'd make a rootback account:
>
>  root:x:0:0:root:/root:/bin/bash
>  rootback:x:0:0:root:/root:/bin/bash
>
> (Entries in /etc/shadow are required for both, turns out.)
>
> In sshd_conf I have this
>
>  Match User rootback
>          PermitRootLogin yes
>          ForceCommand /root/bin/dobackup
>  Match User root
>          PermitRootLogin yes
>  Match
>
> When I
>  ssh -l rootback host whatever
> it runs the dobackup script.
>
> However, when I run
>  ssh -l root host date
> it logs me in without asking for a password and runs date.
>
> So close. But not right.
>
> Is there a way to get what I want?
>
> I'm running
>  openssh.x86_64 5.2p1-2.fc11
> on Fedora 11
>
> Thanks
>
> Dave
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>