Re: sshd config question

From: Benjamin Donnachie <benjamin@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Feb 2006 19:47:04 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Heberlein wrote:

Can't seem to find this answer anywhere. This question is from a server
perspective. Is there a way to configure sshd, so that for some set of
users it allows password authentication and for others only public-key
authentication?

I've achieved something similar on my system by setting the password for
user accounts that I don't want to use password authentication to "!!" eg:

public-key-only-user:!!:13109:0:99999:7:::

However, ordinary password users can still set up public key authentication.

I use this to restrict access to admin accounts to public-key
authentication only for security, and I'm not too fussed if ordinary
users want to use public key authentication in addition to passwords.

Hope this is useful.

Take care,

Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBQ+j5OOgNmph0Y1E2AQLI7RAAntSwtwwF9fYOKsUIljOREtYZL8L3mFRn
VljtU07+Jv6hJ5/qAD3CKclDSABHdafnjzC3mQVA9bPi5o1PAiY/wBPJg+W0009Q
2v81Ph2CVWgP3pb2+ZttEsyZPz1y9W+sceWHFVnw/32VTGV1j79VlPnJfufmp3y4
PTfM2rZlDfZ7ogbDIYm9qdVvUYvxtmlRjP72sV6lCSxBaxfLfqQtHRPM02X6QHIl
6IlfkMrOP5F9F6bqsjfOoximPMrZg8/yjnNBuHqrRvnXe7VQ0aZmvyo01CS//bn9
WGOiLtnZ0kjHrkU4EjykJckrVMSQ/cBr0Osx1r8reKKuF0+0MnLag8H8FFFfSulc
SDhZsl5q6zGzoIztoW4EQEwRMzZO6KhwKQFNvsrNRABJ/i1QgZa2GyAwg9NxGnK6
S8birSGP1mWhVGAyArtoL6/7RlzBLB5o9y44MgmMEFwYyIAOLCsqdGorehE67yjp
c/mjz6Pe1CYQaatIQh4tmdyKUOpUHZGZmqdybeC/9+W2KUeKW06Noq347pPlXpjY
Zk3yraJ74WR1DUwq2F4Z1C5w/05MAWMZz+IlZRJRAvpaFZE6tggnuuPumeL6AhwG
EXc7gvPPTLmheix2r/FJ4L7ADVcUwXUkU9t6lP2HHQ14+TDzkRB5/yzJHSZ2DfKz
5l1rVyHl4bw=
=lyPF
-----END PGP SIGNATURE-----

References:
- sshd config question
  - From: Kurt Heberlein

Prev by Date: Re: sshd does not start daemonized anymore
Next by Date: SITE Command
Previous by thread: sshd config question
Next by thread: SITE Command
Index(es):
- Date
- Thread

Relevant Pages

authentication failure when logging in with public key
... When logging in using public key authentication, ... CentER Applied Research ...
(comp.security.ssh)
Re: Port-Knocking vulnerabilities?
... what an attacker ... Don't have services listening on external interfaces that shouldn't be ... Prefer public key authentication over password authentication. ...
(Security-Basics)
Re: Q: pub key login still asks for password??
... Items to look for in the verbose output would be: ... debug1: Next authentication method: publickey ... debug1: Next authentication method: keyboard-interactive ... as well any identities being used in public key authentication. ...
(comp.security.ssh)
Re: bruteforce ssh
... ES> public key authentication. ... It's worth noting that the SSH transport protocol already provides the ... regardless of the user authentication method employed (providing the ...
(comp.security.ssh)
Re: bruteforce ssh
... > ES> Use another authentication scheme than passwords. ... > ES> public key authentication. ... MITM-resistance is only on the client side. ... Someone can still hijack the channel from server to client, ...
(comp.security.ssh)