Hi. I wonder if it would be possible to implement support for a user-specific sshd_config. The primary reason is that I would like the ability to specify that I'm only allowed to login with a key pair, even though the system-wide sshd configuration still allows passwords for other users. Of course, a user-specific sshd_config file should not be able to break the security policy of the system-wide configuration, only restrict it even further. Would this be possible? Regards Ingemar
On Fri, Apr 04, 2008 at 07:07:17AM +0200, Ingemar Nilsson wrote:> I wonder if it would be possible to implement support for a > user-specific sshd_config.Sure it is. But there exists no such support.> Of course, a user-specific sshd_config file should not be able to > break the security policy of the system-wide configuration, only > restrict it even further.And it may be tricky to decide what constitutes "further restrictions". Either way I believe it will be much quicker to ask your friendly root to add the exception in a Match block in the system sshd_config. //Peter
Peter Stuge wrote:> Ingemar Nilsson wrote: > > I wonder if it would be possible to implement support for a > > user-specific sshd_config. > Either way I believe it will be much quicker to ask your friendly > root to add the exception in a Match block in the system sshd_config.When faced with a similar problem I ran an additional and separate sshd and supplemented the configuration with command line arguments. In this case IIRC -oPasswordAuthentication=no -Port=2222 -oPidFile=/var/run/sshd-noppass.pid and installed a control script /etc/init.d/sshd.nopass and then adjusted firewall rules accordingly. Bob
On Fri, Apr 04, 2008 at 09:46:01AM -0600, Bob Proulx wrote:> > > I wonder if it would be possible to implement support for a > > > user-specific sshd_config. > > > > Either way I believe it will be much quicker to ask your friendly > > root to add the exception in a Match block in the system sshd_config. > > When faced with a similar problem I ran an additional and separate > sshd and supplemented the configuration with command line arguments. > In this case IIRC -oPasswordAuthentication=no -Port=2222 > -oPidFile=/var/run/sshd-noppass.pidUnfortunately the user will still be authenticated by password on port 22. //Peter
On Fri, 4 Apr 2008, Ingemar Nilsson wrote:> Hi. > > I wonder if it would be possible to implement support for a > user-specific sshd_config. The primary reason is that I would like the > ability to specify that I'm only allowed to login with a key pair, even > though the system-wide sshd configuration still allows passwords for > other users.You can do this with the "Match" keyword in sshd_config now. You need root access to configure it though. Match user djm PasswordAuthentication no KbdInteractiveAuthentication no GSSAPIAuthentication no KerberosAuthentication no HostbasedAuthentication no PubkeyAuthentication yes> Of course, a user-specific sshd_config file should not be able to break > the security policy of the system-wide configuration, only restrict it > even further. > > Would this be possible?Anything's possible :) -d
Damien Miller wrote:> You can do this with the "Match" keyword in sshd_config now. You need > root access to configure it though. > > Match user djm > PasswordAuthentication no > KbdInteractiveAuthentication no > GSSAPIAuthentication no > KerberosAuthentication no > HostbasedAuthentication no > PubkeyAuthentication yesSure, but that still involves the system administrator. I would like users to be able to set restrictive login policies for themselves without involving the system administrator. Regards Ingemar
On Sat, Apr 05, 2008 at 02:01:22PM +0200, Ingemar Nilsson wrote:> Sure, but that still involves the system administrator. I would > like users to be able to set restrictive login policies for > themselves without involving the system administrator.Maybe you could use PAM tricks. //Peter
Ingemar Nilsson wrote:> Damien Miller wrote: > >> You can do this with the "Match" keyword in sshd_config now. You need >> root access to configure it though. >> >> Match user djm >> PasswordAuthentication no >> KbdInteractiveAuthentication no >> GSSAPIAuthentication no >> KerberosAuthentication no >> HostbasedAuthentication no >> PubkeyAuthentication yes > > Sure, but that still involves the system administrator. I would like > users to be able to set restrictive login policies for themselves > without involving the system administrator. > > Regards > IngemarSetup isolate environment for every user with root access and left them to do administration. Note how to setup this environment is out of secure shell scope. -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/