Re: authentication in ssh

To: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>
Cc: debian-security <debian-security@lists.debian.org>
Subject: Re: authentication in ssh
From: David Ehle <ehle@agni.phys.iit.edu>
Date: Wed, 12 Nov 2003 10:23:08 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.44.0311121015060.30502-100000@agni.phys.iit.edu>
In-reply-to: <[🔎] 20031112150607.GA10890@ildicow.saturnus.vein.hu>

Hmm, just occured to me that you could do the following, though I think it
would be considered a kludge.  Run 2 sshd daemons on different ports.  On
the standard port 22 run one that needs password auth. Start a second
custom sshd configured to use port xxx and use
/etc/ssh/sshd_config.powerusers as its config file. You could set up a
second init script to take care of this for you.  In the poweruser config
file specify only key based authentication. ( I do hope your requiring
passphrases too, or in my opinion key based is LESS secure) In your
standard sshd_config specify DenyUsers/Groups for your powerusers.  In
poweruser config file set AllowUsers/Groups for your power users and
DenyUsers for al others.

This would mean however that you power users would need to custom
configure their ssh clients to talk to your oddball port. Kind of
inconvenient...

--
David Ehle
Computing Systems Manager
CAPP CSRRI
rm 077
LS Bld. IIT Main Campus
Chicago IL 60616
ehle@iit.edu
312-567-3751

On Wed, 12 Nov 2003, Adam ENDRODI wrote:

>
> How can I tell sshd to only accept a particular authentication
> method for some users, while letting others to use any methods
> they wish?
>
> One of our servers has two kinds of users: a group of
> low-privileged ones and a few power users.  The former class
> may choose to log in by providing his password, but I want the
> latter to use his private key, which I consider a more secure
> alternative.  On the other hand, they need to retain their unix
> password, so I cannot just fill that with garbage.
>
> I've looked at the recent openssh sources but it didn't seem
> to support this kind of distinction.  One possibility I can
> think of is PAM, but I don't know which module to use.
>
> Any suggestion would be greatly appreciated.
>
> bit,
> adam
>
> --
> 1024D/37B8D989 954B 998A E5F5 BA2A 3622  82DD 54C2 843D 37B8 D989
> finger://borso@vekoll.vein.hu | Some days, my soul's confined
> http://www.keyserver.net | And out of mind
> Sleep forever
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: authentication in ssh
  - From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>

References:
- authentication in ssh
  - From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>

Prev by Date: Re: authentication in ssh
Next by Date: apache+ssl+tomcat+jk+php
Previous by thread: Re: authentication in ssh
Next by thread: Re: authentication in ssh
Index(es):
- Date
- Thread