On Monday 15 January 2007 10:26, Berend De Schouwer wrote: > On Sun, 2007-01-14 at 14:36 +0100, Adrian von Bidder wrote: > > I have users a, b, c, d, e. All users except e can have shell access, > > but beecause shell access is powerful, must not be able to log in with > > password, but only with public key. User e is allowed to log in with > > password and is restricted by rssh to only use scp, sftp or rsync so > > that even if that password is stolen/guessed, the attacker can at most > > deface the hosted web site in e's directory. > > You could set the passwords for a, b, c, and d to some invalid hash > in /etc/passwd, so no password will actually work, but public keys do > work. Like ubuntu does with 'root' in the default install. Good idea, except that I need a valid password for access via imaps :-( > For (old) ftp connections, I used to set the user's shell to something > that's not in /etc/shells. I haven't tried with scp, but I think scp > needs a valid shell. > > Maybe you can set user e's shell to rbash(1). As stated, I can restrict to scp/sftp/rsync by using rssh. That part of my setup works just fine. I think I'll try if I can get openssh 4.4 with its per user configuration. I just hope there is a Debian package soonish (even if not in etch), I don't like essential software installed without the benefit of the package management... cheers -- vbi -- Available for key signing in Zürich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro)
Attachment:
pgpdeeg5aFyer.pgp
Description: PGP signature