RE: ACL problems, any suggestions would be great
From: Turner, Carl H [NTK] (Carl.H.Turner_at_mail.sprint.com)
Date: Mon, 16 Aug 2004 10:01:04 -0500 To: "ALERT" <Alert@sifycorp.com>, <firstname.lastname@example.org>, <email@example.com>
With a shared account? Yes. You can use multiple keys in your
authorized_keys (OpenSSH). If the user has a matching private, it'll key
it. If there's no match, password will be prompted for.
As for running a single command once the user auths. (Just posted on
this) Look into the command="" option for the authorized_keys (OpenSSH)
From: ALERT [mailto:Alert@sifycorp.com]
Sent: Thursday, August 12, 2004 12:18 AM
To: firstname.lastname@example.org; email@example.com
Subject: Fw: ACL problems, any suggestions would be great
Can anybody help me in this matter?
Is there any way to authenticate one user through key and another user
----- Original Message -----
From: "Robert Hajime Lanning" <firstname.lastname@example.org>
Sent: Thursday, August 12, 2004 6:12 AM
Subject: Re: ACL problems, any suggestions would be great
> For authentication you can look into:
> RhostsRSAAuthentication yes
> HostbasedAuthentication yes
> As for restricting to execution of a single command, I don't think
> OpenSSH can do it.
> I think the comercial SSH from http://www.ssh.com/ can.
> On Tue, 10 Aug 2004 13:57:35 -0400 (EDT), Bryan Loniewski
> <email@example.com> wrote:
> > Here is what we'd like to do:
> > User logs into some machine (frontend) starts pine, pine ssh's to
> > (backend) where their mail is actually stored in Maildir format and
> > We want to do this without the user having to enter a password again
> > machine.
> > Here are the problems:
> > We don't want to use public-key.
> > We don't want these users (the ones typing pine) to be allowed to
to the remote
> > machine (backend).
> > We don't want them to be allowed to execute any commands on the
machine (with the
> > exception of "exec /etc/rimapd".
> > I could not come up with a solution to solve this problem with
I started looking
> > for other open implementations of secure shell and lsh caught my
Lsh appealed to me
> > because you could specify a login shell for all users that would
override the login shell
> > in the passwd db (this was perfect since we could then create a
called rimapd and
> > it just executed /etc/rimapd). The reason I could not go with this
solution is lsh
> > does not have trusted host authentication mechanisms, so there was
way to have
> > passwordless logins.
> > Any suggestions?
> > Thanks.
> > Bryan
> END OF LINE