Re: Method to customize SSH settings per user


"krsyoung" <krsyoung@xxxxxxxxx> wrote in message
news:1137718148.885008.273700@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hello all,
>
> (OpenSSH 3.4p1,3.8p1,4.0p1/ SuSE, Fedora)
>
> I'm a little stuck on the best way to go about solving a problem and
> currently it has lead me to ask this question (the fact that it is
> getting so complicated probably is suggesting there is a better way for
> me to be going about it!)
>
> What I am hoping to do it create an account on a system which can only
> be accessed with keys (I want password authentication impossible).
> However I need other accounts on the system to be accessible with
> passwords. In the sshd_config file I need to have UsePAM set to yes
> which circumvents the PasswordAuthentication option. Has anyone ever
> tackled a problem such as this or know if it is even possible?

Edit the /etc/passwd, or in systems with shadow passwords, /etc/shadow file
to set the password field to be "*locked*" for that account. The "*" is an
invalid character for encrypted passwords: *nothing* encrypts to match
anything containing "*". This also prevents users from resetting that
password, except for the root user.

Doing this for NIS or LDAP setups is left as an exercise for the reader, but
I suggest staying the heck out of this.

> What would be ideal is to have a .ssh/config file with
> PasswordAuthentication set to no, and have that override the global
> UsePAM setting...however it works the exact opposite (which makes
> sense).
>
> Any suggestions are much appreciated. Thanks for the help
> Chris
>


.