Re: Allow password auth for one user with sftp?

[Berend De Schouwer <berend.deschouwer@ucs-software.co.za>]

On Mon, 2007-01-15 at 16:08 +0100, Adrian von Bidder wrote:
> On Monday 15 January 2007 10:26, Berend De Schouwer wrote:
> > On Sun, 2007-01-14 at 14:36 +0100, Adrian von Bidder wrote:
> 
> > > I have users a, b, c, d, e.  All users except e can have shell access,
> > > but beecause shell access is powerful, must not be able to log in with
> > > password, but only with public key.  User e is allowed to log in with
> > > password and is restricted by rssh to only use scp, sftp or rsync so
> > > that even if that password is stolen/guessed, the attacker can at most
> > > deface the hosted web site in e's directory.
> >
> > You could set the passwords for a, b, c, and d to some invalid hash
> > in /etc/passwd, so no password will actually work, but public keys do
> > work.  Like ubuntu does with 'root' in the default install.
> 
> Good idea, except that I need a valid password for access via imaps :-(

Ouch!  Then you need fine-grained access control.  Which means playing a
lot with the files in /etc/pam.d/ and /etc/security/.  Unfortunately not
all apps support all the options.  They make for an interesting read,
anyway.


Regards,
Berend

-- 
Confidentiality notice: http://ucs.co.za/conf.html