Re: Method to customize SSH settings per user

From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
Date: 20 Jan 2006 04:42:47 GMT

Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> writes:

>On 2006-01-20, Unruh <unruh-spam@xxxxxxxxxxxxxx> wrote:
>>>What I am hoping to do it create an account on a system which can only
>>>be accessed with keys (I want password authentication impossible).
>>
>> Just make sure that account has no password.

>That's very bad idea. Even assuming you have PermitEmptyPasswords=no
>in your sshd_config, if *anyone* can get to *any* other service (telnet,
>ftp, console, whatever) they'll be allowed to log in without any password
>at all.

Oh come on. No password does NOT mean an empty password entry in
/etc/passwd . That is ALL passwords, not No password.
If you need it spelled out, to make sure that the account has NO password,
make sure that password entry in /etc/passwd is invalid. A bunch of stars
for example. Or the word Invalid.

>And even if that's not possible right now, it's an accident waiting to
>happen: if at any time in the future a service is added or the sshd_config
>is changed, the accounts could be left wide open to anyone, not just the
>owners of the accounts.

>> ( or make sure that the password is unknown to them)

>Now that's a reasonable approach, as long as the password is strong
>enough and not recorded anywhere. I occasionally use something like
>"openssl rand -base64 15" to generate throwaway passwords for this kind
>of thing.[1]

>A much better alternative is, as Nico suggested, to set the password
>string to something that's not a valid encrypted password string (but
>not the "locked account" string, which is "!!" on most Linuxes).

>[1] Purists will note that this doesn't use all of the available
>characters in a password string, but even an 8-character password
>generated this way still has 48 bits of entropy which is more than a
>typical human-generated password.

>--
>Darren Tucker (dtucker at zip.com.au)
>GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
>usually comes from bad judgement.
.

Follow-Ups:
- Re: Method to customize SSH settings per user
  - From: Nico Kadel-Garcia

References:
- Method to customize SSH settings per user
  - From: krsyoung
- Re: Method to customize SSH settings per user
  - From: Unruh
- Re: Method to customize SSH settings per user
  - From: Darren Tucker

Prev by Date: Re: Method to customize SSH settings per user
Next by Date: Re: SSH encryption
Previous by thread: Re: Method to customize SSH settings per user
Next by thread: Re: Method to customize SSH settings per user
Index(es):
- Date
- Thread

Relevant Pages

Re: Logging attempted passwords
... it does already log the account and time and those I already ... Darren Tucker (dtucker at zip.com.au) ... Good judgement comes with experience. ...
(SSH)
Re: SSH ignores locked accounts
... >allows a very fine grade of control over who has access to the account in ... locking the account. ... Set the passwd entry to something that isn't the lock string but isn't a ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: why scp freezes after password?
... > i giver the password the prompt freezes. ... > I guess the problem is in my account, ... Your shell is probably not clean (ie it's producing extraneous output ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: Creating accounts with passwords from remote?
... looks like it created the account. ... > linux box, and using the GUI to look at accounts and users. ... *encrypted* password string, ... Plan A) Don't use the useraddprogram's '-p' option. ...
(alt.os.linux.redhat)
Re: SSH and login without password (not passwordless login)
... >I have an account that has no password (yes, ... When I try to ssh or scp to it I get the password ... >hit space then enter it lets me in. ... Good judgement comes with experience. ...
(comp.security.ssh)