Re: Userbased ssh auth. methods

From: Darren Tucker <dtucker@xxxxxxxxxxxxxxxx>
Date: Fri, 31 Aug 2007 00:03:38 +1000

On 2007-08-30, sebastian.kranefeld@xxxxxxxxxxxxx <sebastian.kranefeld@xxxxxxxxxxxxx> wrote:

is it possible to select the allowed auth. methods per user and not
global ? For example john=password,rsa-key / kate=rsa-key , aso.

Depends on the software and version. If it's a recent OpenSSH (4.6 and
up) then you can do this with the Match directive in sshd_config, eg

PasswordAuthentication no
PubkeyAuthentication yes

Match User john
PasswordAuthentication yes

This sets a default of password=no, pubkey=yes but overrides the
password setting for john.

Other SSH implementations may also be able to do it but the details will
vary.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.

References:
- Userbased ssh auth. methods
  - From: sebastian . kranefeld

Prev by Date: Re: OpenSSH for Windows question
Next by Date: Re: Using putty to debug ssh through a firewall
Previous by thread: Userbased ssh auth. methods
Next by thread: OpenSSH for Windows question
Index(es):
- Date
- Thread

Relevant Pages

Re: UsePAM and PasswordAuthentication under 4.1p1
... > seemed to indicate a problem with the ssh/PAM interface. ... OpenSSH versions 3.7x and 3.8x did not use PAM for PasswordAuthentication, ... As long as your PAM modules are simple enough to work with ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: Match directive question
... Match User rsakey ... RSAAuthentication yes ... PasswordAuthentication yes ... Good judgement comes with experience. ...
(comp.security.ssh)
Re: OpenSSH 3.8p1 on Solaris with PAM/krb5
... > What do I need to do to get sshd to try to use PAM ... Set "PasswordAuthentication no" in sshd_config. ... Darren Tucker ... Good judgement comes with experience. ...
(SSH)
Re: per user authentication types?
... You can do some limited things (eg setting a given user's passwd field in /etc/shadow to "*", which will prevent password authentication while still allowing non-password authentications) but there's no general method. ... There's been some workrecently to extend sshd_config to allow it to apply some config directives based on certain attributes of the connection. ... PasswordAuthentication yes ... Good judgement comes with experience. ...
(SSH)
Re: openssh and opie challenge
... > really well suited to challenge-response authentication. ... if you're using OpenSSH or a derivative you might try ... > PasswordAuthentication no ... prompt appears but not the preceding challenge. ...
(comp.security.ssh)