Re: Allow password auth for one user with sftp?

[Berend De Schouwer <berend.deschouwer@ucs-software.co.za>]

On Sun, 2007-01-14 at 14:36 +0100, Adrian von Bidder wrote:
> On Thursday 11 January 2007 20:15, Michel Messerschmidt wrote:
> > On Thu, Jan 11, 2007 at 06:55:33PM +0100, Adrian von Bidder wrote:
> > > Anybody has an idea if and how this is possible?  The obvious but ugly
> > > solution would be to run a second sshd on a different port, but I'd
> > > rather avoid that.
> >
> > If I understand this correctly, it's not a matter of public key or
> > password authentication but rather to give shell access to only one
> > user.
> 
> Wrong.
> 
> I have users a, b, c, d, e.  All users except e can have shell access, but 
> beecause shell access is powerful, must not be able to log in with 
> password, but only with public key.  User e is allowed to log in with 
> password and is restricted by rssh to only use scp, sftp or rsync so that 
> even if that password is stolen/guessed, the attacker can at most deface 
> the hosted web site in e's directory.

You could set the passwords for a, b, c, and d to some invalid hash
in /etc/passwd, so no password will actually work, but public keys do
work.  Like ubuntu does with 'root' in the default install.

For (old) ftp connections, I used to set the user's shell to something
that's not in /etc/shells.  I haven't tried with scp, but I think scp
needs a valid shell.

Maybe you can set user e's shell to rbash(1).

> Judging from the replies I've received so far I'll just end up running a 2nd 
> sshd on port 2222 or wherever.
> 
> cheers
> -- vbi
> 
> 
Regards,
Berend

-- 
Confidentiality notice: http://ucs.co.za/conf.html