Re: SSH pubkey or password based on user group

"Richard E. Silverman" <res@xxxxxxxx> writes:

"AN" == Anastassios Nanos <ananos@xxxxxxxxxxx> writes:

AN> Nikos Nikoleris wrote:
>> Hi,
>>
>> What I was trying to do is not to allow users that are in root
>> group to login using ssh in our server without having their public
>> key while every other user can choose whether they will login using
>> their password or their public key. I was searching through pam
>> modules without success if there was a way of doing this through
>> pam but I couldn't find any module that will have my job done. Does
>> anyone have any clue if there is a way of doing this

AN> hello.

AN> I'm posting in case there is someone else who wants to do that.

AN> finally, we did it ... ;-)

AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed

AN> /etc/ssh/sshd.deny: pubkeyssh

AN> so any member of pubkeyssh group is allowed to login only with a
AN> pubkey.

AN> I 'm sure there is an easier way to do it but it's more about pam
AN> than ssh.

AN> cheers,

AN> -- Anastassios Nanos <ananos@xxxxxxxxxxx>

AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos <ananos@xxxxxxxxxxx>
AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
AN> 759D

[sshd_config]

match group root
passwordauthentication no



Does this work? From man sshd_config

***********************************
Match Introduces a conditional block. If all of the criteria on the
Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file,
until either another Match line or the end of the file. The
arguments to Match are one or more criteria-pattern pairs.
The
available criteria are User, Group, Host, and Address. Only a
subset of keywords may be used on the lines following a Match
keyword. Available keywords are AllowTcpForwarding,
ForceCommand, GatewayPorts, PermitOpen, X11DisplayOffset,
X11Forwarding, and X11UseLocalHost.
**************************************
This seems to say only those 7 keywords are allowed, not
passwordauthentication. Am I misreading it? Or is it just wrong?

.

Relevant Pages

  • RE: How do I filter for more than 2 "does contain" criteria
    ... I have to mark keywords for both: data and search criteria. ... "Alex" wrote: ...
    (microsoft.public.excel.misc)
  • RE: How do I filter for more than 2 "does contain" criteria
    ... D11: Keywords ... I did everything like explained in the excel help, ... Criteria range: ... "Keywords" over the criteria range tells Advanced Filter to look in the ...
    (microsoft.public.excel.misc)
  • RE: Match Criteria or display All Records
    ... I think they want to do an OR multiple search and it's really causing me ... > and then in the criteria line put Is Null on an or line. ... > To do multiple keywords search is more complicated. ... else display records that match ...
    (microsoft.public.access.queries)
  • RE: Adding keyword to use for a search
    ... I missed the second part of your question - Searching on more than one key ... Then on the next criteria row use -- ... If you want it to contain both of the keywords use -- ... "Anna, Sweden" wrote: ...
    (microsoft.public.access.gettingstarted)
  • Re: Initiate SSH session from other side?
    ... so that I can use an SSH session from outside the network into the ... If I want to use VNC to work on my work desktop, I send a mail containing some keywords. ...
    (comp.security.ssh)