Re: SSH pubkey or password based on user group

"Unruh" == Unruh <unruh-spam@xxxxxxxxxxxxxx> writes:

Unruh> "Richard E. Silverman" <res@xxxxxxxx> writes:
>>>>>>> "AN" == Anastassios Nanos <ananos@xxxxxxxxxxx> writes:

AN> Nikos Nikoleris wrote:
>> >> Hi,
>> >>
>> >> What I was trying to do is not to allow users that are in root
>> >> group to login using ssh in our server without having their
>> public >> key while every other user can choose whether they will
>> login using >> their password or their public key. I was searching
>> through pam >> modules without success if there was a way of doing
>> this through >> pam but I couldn't find any module that will have
>> my job done. Does >> anyone have any clue if there is a way of
>> doing this

AN> hello.

AN> I'm posting in case there is someone else who wants to do that.

AN> finally, we did it ... ;-)

AN> /etc/pam.d/ssh: auth required pam_listfile.so item=group
AN> sense=deny file=/etc/ssh/sshd.deny onerr=succeed

AN> /etc/ssh/sshd.deny: pubkeyssh

AN> so any member of pubkeyssh group is allowed to login only with a
AN> pubkey.

AN> I 'm sure there is an easier way to do it but it's more about pam
AN> than ssh.

AN> cheers,

AN> -- Anastassios Nanos <ananos@xxxxxxxxxxx>

AN> 1024D/CCCE759D 2007/04/29 Anastassios Nanos <ananos@xxxxxxxxxxx>
AN> Key fingerprint = 60EC 7B9E CD11 9AB2 C3CE B694 08D6 F033 CCCE
AN> 759D

>> [sshd_config]

>> match group root passwordauthentication no



Unruh> Does this work? From man sshd_config

Unruh> *********************************** Match Introduces a
Unruh> conditional block. If all of the criteria on the Match line
Unruh> are satisfied, the keywords on the following lines override
Unruh> those set in the global section of the config file, until
Unruh> either another Match line or the end of the file. The
Unruh> arguments to Match are one or more criteria-pattern pairs. The
Unruh> available criteria are User, Group, Host, and Address. Only a
Unruh> subset of keywords may be used on the lines following a Match
Unruh> keyword. Available keywords are AllowTcpForwarding,
Unruh> ForceCommand, GatewayPorts, PermitOpen, X11DisplayOffset,
Unruh> X11Forwarding, and X11UseLocalHost.
Unruh> ************************************** This seems to say only
Unruh> those 7 keywords are allowed, not passwordauthentication. Am I
Unruh> misreading it? Or is it just wrong?

The man page from the latest version (4.7) does list
passwordauthentication, and I just tested it; it does work.

--
Richard Silverman
res@xxxxxxxx

.