Results 1 to 4 of 4

Thread: SSHD shared key only

  1. #1

    Default SSHD shared key only

    I know how to set up sshd_config for shared key only access. Is it possible however, to set up shared key only access for specific users. Example
    Users ABCD I want them to only be able to login with shared keys
    Users EFGH I want them to be able to use a shared key, or if that key gets lost, corrupted or whatever, EFGH can still use a password, keyboard-interactive. How would I go about doing that?

  2. #2
    Join Date
    Jun 2008
    Location
    Frisco, TX
    Posts
    1,233

    Default Re: SSHD shared key only

    On Mon, 2010-05-24 at 15:36 +0000, dhonnoll wrote:
    > I know how to set up sshd_config for shared key only access. Is it
    > possible however, to set up shared key only access for specific users.
    > Example
    > Users ABCD I want them to only be able to login with shared keys
    > Users EFGH I want them to be able to use a shared key, or if that key
    > gets lost, corrupted or whatever, EFGH can still use a password,
    > keyboard-interactive. How would I go about doing that?
    >
    >


    I don't think there's anything for normal users like there is with
    PermitRootLogin.

    So... one idea, though possibly a bit complicated.... enable UsePAM in
    sshd_config and control access for interactive logins that way (??).

    I haven't actually tried to do this... just an idea.



  3. #3
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: SSHD shared key only

    You could try a Match block for certain users:

    Code:
    Match User E,F,G,H
    PasswordAuthentication yes
    Match
    Unfortunately UsePAM doesn't seem to be allowed inside a Match block, so I'm guessing about PasswordAuthentication. Let us know if it works.

  4. #4
    Join Date
    Jun 2008
    Location
    Frisco, TX
    Posts
    1,233

    Default Re: SSHD shared key only

    On Mon, 2010-05-24 at 22:36 +0000, ken yap wrote:
    > You could try a Match block for certain users:
    >
    >
    > Code:
    > --------------------
    > Match User E,F,G,H
    > PasswordAuthentication yes
    > Match
    > --------------------
    >
    >
    > Unfortunately UsePAM doesn't seem to be allowed inside a Match block,
    > so I'm guessing about PasswordAuthentication. Let us know if it works.
    >
    >


    Wow... didn't know about Match... that could be the secret here.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •