Re: Allow password auth for one user with sftp?
On Sun, 2007-01-14 at 14:36 +0100, Adrian von Bidder wrote:
> On Thursday 11 January 2007 20:15, Michel Messerschmidt wrote:
> > On Thu, Jan 11, 2007 at 06:55:33PM +0100, Adrian von Bidder wrote:
> > > Anybody has an idea if and how this is possible? The obvious but ugly
> > > solution would be to run a second sshd on a different port, but I'd
> > > rather avoid that.
> >
> > If I understand this correctly, it's not a matter of public key or
> > password authentication but rather to give shell access to only one
> > user.
>
> Wrong.
>
> I have users a, b, c, d, e. All users except e can have shell access, but
> beecause shell access is powerful, must not be able to log in with
> password, but only with public key. User e is allowed to log in with
> password and is restricted by rssh to only use scp, sftp or rsync so that
> even if that password is stolen/guessed, the attacker can at most deface
> the hosted web site in e's directory.
You could set the passwords for a, b, c, and d to some invalid hash
in /etc/passwd, so no password will actually work, but public keys do
work. Like ubuntu does with 'root' in the default install.
For (old) ftp connections, I used to set the user's shell to something
that's not in /etc/shells. I haven't tried with scp, but I think scp
needs a valid shell.
Maybe you can set user e's shell to rbash(1).
> Judging from the replies I've received so far I'll just end up running a 2nd
> sshd on port 2222 or wherever.
>
> cheers
> -- vbi
>
>
Regards,
Berend
--
Confidentiality notice: http://ucs.co.za/conf.html
Reply to: