[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Configuring ssh

On Mon, Nov 06, 2000 at 12:08:17PM +0300, Alan KF LAU wrote:
> My major concern is that if you enabled password authentication you'd
> leave your system vulnerable to brute force password attacked as in
> Beside, if one could use password authentication, why would one bother
> to take all the trouble setting up RSA connection? :)
> I did ask question here, whether I could let one group of user use
> password authentication(for casual users with limited access) and the
> other group of users use RSA(for admin. users who have higher
> privileges).
> Seem like it's not possible, according to expert opinions here,  for 
> current ssh release.
> I might be wrong, please advise if it's possible. I wish to know! :)

it is possible, but only as a result of ssh's halfway pam support that
this works:


auth       required     pam_listfile.so item=user sense=deny \
	file=/etc/ssh/ssh_rsa_only onerr=succeed

to /etc/pam.d/ssh

and add RSA only usernames to /etc/ssh/ssh_rsa_only

the only reason this works is because ssh ignores (or doesn't run?)
all pam auth modules when doing RSA authentication.  this is not
tested on OpenSSH 2.0, only OpenSSH 1.2*

Ethan Benson

Attachment: pgphmQZIgfqYM.pgp
Description: PGP signature

Reply to: