Re: Method to customize SSH settings per user

Darren Tucker wrote:

> On 2006-01-20, krsyoung <krsyoung@xxxxxxxxx> wrote:
>> (OpenSSH 3.4p1,3.8p1,4.0p1/ SuSE, Fedora)
> [...]
>> What I am hoping to do it create an account on a system which can only
>> be accessed with keys (I want password authentication impossible).
>> However I need other accounts on the system to be accessible with
>> passwords. In the sshd_config file I need to have UsePAM set to yes
>> which circumvents the PasswordAuthentication option. Has anyone ever
>> tackled a problem such as this or know if it is even possible?
>
> Configure PAM to do it. You want the auth stack to deny any accounts
> that aren't allowed to use PasswordAuthentication, but this will still
> allow non-password authentications (you probably want to disable all but
> RSAAuthentication in sshd_config).
>
> One way to do this is with pam_listfile. Something like this ought to
> work (untested, beware line wrap):
>
> auth required pam_listfile.so \
> onerr=fail item=user sense=allow file=/etc/passwordallowedusers
>

Sanity check, please. The "no [known to user] password" options don't work
in some cases because some people do need sudo access (and I am reluctant
to use NOPASSWD). The idea above sounds like a way I can address this.

Right now, both sshd and sudo files in /etc/pam.d refer to system-auth. Am
I correct that I'd want to:

1. Make the above change in system-auth, and
2. create an alternative to system-auth w/o this change, and
3. have sudo refer to the alternative file?

Yes?

Thanks...

Andrew

.