Re: SSH pubkey or password based on user group

Nico wrote:
On 26 Oct, 16:25, Nikos Nikoleris <ni...@xxxxxxxxxxx> wrote:
Hi,

What I was trying to do is not to allow users that are in root group to
login using ssh in our server without having their public key while
every other user can choose whether they will login using their password
or their public key.
I was searching through pam modules without success if there was a way
of doing this through pam but I couldn't find any module that will have
my job done. Does anyone have any clue if there is a way of doing this

Would it work simply to leave a cron job in place to scream bloody
murder if anyone puts root keys on the server? Or to allow root logins
only on another port, with your sshd set something like this:

On port 22:

Port 22
PermitRootLogin no

And on port 2022

Port 2022
PubkeyAuthentication no
AllowGroups root

Does that make sense? Manipulating a single SSH daemon to do what you
ask is going a bit far.


Maybe this can do the job but I was hoping that one instance of the ssh
daemon was enough. What I thought at first was to change the way users
authenticate so maybe use some other pam module. Those that I have
already found - pam_ssh.so, pam_ssh_agent.so pam_if.so maybe a
combination of them - can do something similar but not what I want
exactly. I was hoping that there is a way to use a combination of these
modules to do what I ask. Am I wrong isn't pubkey authentication
something that pam handles just as it is with passwords? If this is true
then there can be a way of implementing or using some modules that does
that.

Thanks
Nikos
.

Relevant Pages

  • Re: BSM, SSH, and Session ID
    ... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ...
    (Focus-SUN)
  • Re: telnet as root question
    ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ...
    (comp.os.linux.security)
  • Re: BSM, SSH, and Session ID
    ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ...
    (Focus-SUN)
  • RE: Login restrictions in NIS environment
    ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ...
    (RedHat)
  • Re: Security basics
    ... login password which was my last name. ... run ssh on some port other than 22. ... can detect ssh implementations since they normally self-identify. ...
    (Fedora)