Friday, January 21, 2011

SSHd restriction per user basis

I need to restrict certain user(s) so that they can only SSH in using ssh keys and other users can login using key or password.

an example:

i'd like for root user to be able to login remotely (through sshd) using key, so no password would be accepted (even if password is right)

and for other users (everyone on the system) they can log in using key and/or password

how would I do that?

From serverfault alexus

  • Set up ssh as follows:

    nano /etc/ssh/sshd_config

AllowUsers username1 username2 username3

    Restart SSH

    Then provide the keys to those who you would like to avoid using passwords.

    ssh-keygen is used to generate that key pair for you. Here is a session where your own personal private/public key pair is created:

    #ssh-keygen -t rsa

    The command ssh-keygen -t rsa initiated the creation of the key pair.

    I didn't enter a passphrase for my setup (Enter key was pressed instead).

    The private key was saved in .ssh/id_rsa. This file is read-only and only for you. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key.

    The public key is save in .ssh/id_rsa.pub.

    Its content is then copied in file .ssh/authorized_keys of the system you wish to SSH to without being prompted for a password. 

    #scp id_rsa.pub remote system:~/.ssh/authorized_keys

    Finally lock the account (Key authentication will still be possible.)

    # passwd -l username1
    alexus : that's not what i'm looking for. let's say i want root to be logged in using keys only and other users can be logged with key or password
    Patrick R : then don't lock the account with passwd -l username1
    From Patrick R

  • What I would do is to set /etc/sshd/sshd_config such that:

    PermitRootLogin without-password

    just for extra security and to avoid having the root password locked (it would only allow root to log in using a key)

    I would instead use AllowGroups instead of AllowUser, as for me it would be more convenient to add users to a group rather than to sshd_config but that could depend on your personal preferences.

    From golan

  • I think what you want is "Match User". You use it to match a username, then indent a series of config settings that apply specifically to that user.

    Match User Joe
  PasswordAuthentication no

Match User Jane
  PasswordAuthentication yes

    I use this to set up chroot SFTP-only access sometimes for clients.

    From Devin Ceartas
Posted by Mu Cat at 7:29 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)