Friday, January 21, 2011

SSHd restriction per user basis

I need to restrict certain user(s) so that they can only SSH in using ssh keys and other users can login using key or password.

an example:

i'd like for root user to be able to login remotely (through sshd) using key, so no password would be accepted (even if password is right)

and for other users (everyone on the system) they can log in using key and/or password

how would I do that?

  • Set up ssh as follows:

    nano /etc/ssh/sshd_config
    
    AllowUsers username1 username2 username3
    

    Restart SSH

    Then provide the keys to those who you would like to avoid using passwords.

    ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created:

    #ssh-keygen -t rsa
    

    The command ssh-keygen -t rsa initiated the creation of the key pair.

    I didn't enter a passphrase for my setup (Enter key was pressed instead).

    The private key was saved in .ssh/id_rsa. This file is read-only and only for you. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key.

    The public key is save in .ssh/id_rsa.pub.

    Its content is then copied in file .ssh/authorized_keys of the system you wish to SSH to without being prompted for a password.

    #scp id_rsa.pub remote system:~/.ssh/authorized_keys
    

    Finally lock the account (Key authentication will still be possible.)

    # passwd -l username1
    
    alexus : that's not what i'm looking for. let's say i want root to be logged in using keys only and other users can be logged with key or password
    Patrick R : then don't lock the account with passwd -l username1
    From Patrick R
  • What I would do is to set /etc/sshd/sshd_config such that:

    PermitRootLogin without-password
    

    just for extra security and to avoid having the root password locked (it would only allow root to log in using a key)

    I would instead use AllowGroups instead of AllowUser, as for me it would be more convenient to add users to a group rather than to sshd_config but that could depend on your personal preferences.

    From golan
  • I think what you want is "Match User". You use it to match a username, then indent a series of config settings that apply specifically to that user.

    Match User Joe
      PasswordAuthentication no
    
    Match User Jane
      PasswordAuthentication yes
    

    I use this to set up chroot SFTP-only access sometimes for clients.

0 comments:

Post a Comment