[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Restrict ssh logins

On Mon, 2006-06-26 at 16:50 -0400, Eric d'Alibut wrote:
> On 6/25/06, Lothar Braun <debian@lobraun.de> wrote:
> > You should define a global authorized_keys file then. Use
> > AuthorizedKeysFile in your /etc/ssh/sshd_conf to set the path to your
> > file.
> I note in the sshd_config man page that the AuthorizedKeysFile may
> make use of tokens ('%h') for things such as usernames, home dirs,
> etc. I can't seem to find an example of what, in practice, the syntax
> for such tokens is in that file. Does anyone have an example?
> tia as per usual,

Let's go:

Assume we have two users:

bob with home directory /home/bob/
alice with home directory /nfs-share/all-homes/alice/


If you put

AuthorizedKeysFile %h/.ssh/authorized_keys

in your sshd_config, sshd will look at /home/bob/.ssh/authorized_keys
and /nfs-share/all-homes/alice/.ssh.authorized_keys.


AuthorizedKeysFile %u/.ssh/authorized_keys

will make sshd look at /home/bob/.ssh/authorized_keys
and /home/alice/.ssh/authorized_keys (and it won't find the
authorized_keys file from alice, because /home/alice doesn't exist)


AuthorizedKeysFile /root/%%/authorized_keys

will make sshd look for a file named /root/%/authorized_keys. This means
that it will look for a directory named %.


Reply to: