Home » Mailing list archives » openbsd-misc » 2010 » January » 5

Re: Disable SSH passwords per user

Previous thread: Seeking Advice on URL Redirection by lists on Monday, January 4, 2010 - 5:11 pm. (4 messages)

Next thread: sili port multiplier support by nixlists on Monday, January 4, 2010 - 7:36 pm. (2 messages)
[view original message]
From: Ted
Subject: Disable SSH passwords per user
Date: Monday, January 4, 2010 - 5:18 pm

Had a quick google and search or marc, but came up with no answers.

Is it possible to disable password based logins per user (like with
the adduser --disabled-password in linux) on OpenBSD, and therefore
have the user only use SSH Keys? I'm aware of the sshd_config setting
"PasswordAuthentication no" which makes this occur system wide.

I just wanted to ensure I'm not missing something else, in setting up
a single user on a system that doesn't have "PasswordAuthentication
no" set for system wide SSH logins. Maybe using login classes?

The reason: I'm trying to setup gitosis
(http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst) on an
OpenBSD server, but the README is linux centric.

--
Ted


[ message continues ]
[view original message]
From: Eugene Yunak
Subject: Re: Disable SSH passwords per user
Date: Monday, January 4, 2010 - 5:32 pm

You can use per user rules in sshd_config, just read the man page.

-- 
The best the little guy can do is what
the little guy does right


[ message continues ]
[view original message]
From: Ted
Subject: Re: Disable SSH passwords per user
Date: Monday, January 4, 2010 - 5:56 pm

I've read the man page a number of times, and didn't see that. The
closest thing was is "AllowUsers", but this is for enabling and
disabling logins per user, not limiting a user to SSH Key logins only.

But after reading ssh_config manpage, and I note that one can set
"PasswordAuthentication no" in a per-user configuration file
~/.ssh/config
The problem with this is the manpage states "this file must have
strict permissions: read/write for the user, and not accessible by
others".
This means the user can edit this after logging in, and remove or
change the PasswordAuthentication variable.

--
Ted


[ message continues ]
[view original message]
From: Nicholas Marriott
Subject: Re: Disable SSH passwords per user
Date: Monday, January 4, 2010 - 5:35 pm

sshd_config(5), look at "Match".

You may also want to look at command= in sshd(8).

And of course you can always set an impossible password hash to prevent
password logins...




[ message continues ]
[view original message]
From: Ted
Subject: Re: Disable SSH passwords per user
Date: Monday, January 4, 2010 - 6:03 pm

On Tue, Jan 5, 2010 at 11:35 AM, Nicholas Marriott

That's what I was missing. Was reading over that and my mind was
reading match for Host or Address only.
Now I know I can do a Match pattern on User with PasswordAuthentication.


True.

--
Ted


[ message continues ]
[view original message]
From: Lars Nooden
Subject: Re: Disable SSH passwords per user
Date: Tuesday, January 5, 2010 - 10:44 am

You can also Match a group which will be useful if you wish to disable
password authentication for more than one user now or to leave the
option open in the future.

/Lars


[ message continues ]
Previous thread: Seeking Advice on URL Redirection by lists on Monday, January 4, 2010 - 5:11 pm. (4 messages)

Next thread: sili port multiplier support by nixlists on Monday, January 4, 2010 - 7:36 pm. (2 messages)