Re: authorized_keys options for password access ??



Michael Gale wrote:
Hello,

I have been able to restrict an account using options in the authorized_keys file:

--snip--
from="*",command="/usr/local/bin/jcmenu",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAA......
--snip--

However password based logins are currently allowed on the system and can not be turned off :( Is there a way to have the above restrictions in place regardless of the authentication method ?

openssh-3.9p1-8.RHEL4.4

Not with that version. You can disable some globally (eg X11Forwarding) but there's no equivalent to others (eg command=) there's no way to restrict individual users.

In current versions of OpenSSH there's an additional keyword "Match" that allows you to apply directives in sshd_config on a per-user (or per group or per host) basis. There's also a new directive "ForceCommand" which is equivalent to the "command=" key restriction.

So assuming the user you want to restrict is "someuser", you could add this to the bottom of your sshd_config file:

Match User someuser
ForceCommand /usr/local/bin/jcmenu
AllowTcpForwarding no
X11Forwarding no

There's no equivalent to "no-agent-forwarding" but it would not be hard to add.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.