Re: SSH pubkey or password based on user group

On 28 Oct, 01:07, "Richard E. Silverman" <r...@xxxxxxxx> wrote:
"AN" == Anastassios Nanos <ana...@xxxxxxxxxxx> writes:

AN> Nikos Nikoleris wrote:
>> Hi,
>>
>> What I was trying to do is not to allow users that are in root
>> group to login using ssh in our server without having their public
>> key while every other user can choose whether they will login using
>> their password or their public key. I was searching through pam
>> modules without success if there was a way of doing this through
>> pam but I couldn't find any module that will have my job done. Does
>> anyone have any clue if there is a way of doing this

AN> hello.

AN> I'm posting in case there is someone else who wants to do that.

AN> finally, we did it ... ;-)

AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed

AN> /etc/ssh/sshd.deny: pubkeyssh

AN> so any member of pubkeyssh group is allowed to login only with a
AN> pubkey.

AN> I 'm sure there is an easier way to do it but it's more about pam
AN> than ssh.

AN> cheers,

AN> -- Anastassios Nanos <ana...@xxxxxxxxxxx>

AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos <ana...@xxxxxxxxxxx>
AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
AN> 759D

[sshd_config]

match group root
passwordauthentication no

--
Richard Silverman
r...@xxxxxxxx


Ahh. That keeps you out of mucking with the PAM configuration files,
which is a bit dangerous to do in systems where software may be
upgraded or configuration tools may edit them in ways that would
require resetting them manually, which could be awkards if your SSH is
messed up.

I think Richard is the winner, and still champeen!

.

Relevant Pages

  • Confusion on SSH and PAM
    ... The idea being that I use Public Key authentication. ... Yes to PAM authentication etc. ... As long as I login as root with a key, ...
    (freebsd-questions)
  • Re: BSM, SSH, and Session ID
    ... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ...
    (Focus-SUN)
  • Re: telnet as root question
    ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ...
    (comp.os.linux.security)
  • Re: BSM, SSH, and Session ID
    ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ...
    (Focus-SUN)
  • RE: Login restrictions in NIS environment
    ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ...
    (RedHat)