On Monday 15 January 2007 10:26, Berend De Schouwer wrote:
> On Sun, 2007-01-14 at 14:36 +0100, Adrian von Bidder wrote:
> > I have users a, b, c, d, e. All users except e can have shell access,
> > but beecause shell access is powerful, must not be able to log in with
> > password, but only with public key. User e is allowed to log in with
> > password and is restricted by rssh to only use scp, sftp or rsync so
> > that even if that password is stolen/guessed, the attacker can at most
> > deface the hosted web site in e's directory.
>
> You could set the passwords for a, b, c, and d to some invalid hash
> in /etc/passwd, so no password will actually work, but public keys do
> work. Like ubuntu does with 'root' in the default install.
Good idea, except that I need a valid password for access via imaps :-(
> For (old) ftp connections, I used to set the user's shell to something
> that's not in /etc/shells. I haven't tried with scp, but I think scp
> needs a valid shell.
>
> Maybe you can set user e's shell to rbash(1).
As stated, I can restrict to scp/sftp/rsync by using rssh. That part of my
setup works just fine.
I think I'll try if I can get openssh 4.4 with its per user configuration.
I just hope there is a Debian package soonish (even if not in etch), I
don't like essential software installed without the benefit of the package
management...
cheers
-- vbi
--
Available for key signing in Zürich and Basel, Switzerland
(what's this? Look at http://fortytwo.ch/gpg/intro)
Attachment:
pgpdeeg5aFyer.pgp
Description: PGP signature