Hmm, just occured to me that you could do the following, though I think it would be considered a kludge. Run 2 sshd daemons on different ports. On the standard port 22 run one that needs password auth. Start a second custom sshd configured to use port xxx and use /etc/ssh/sshd_config.powerusers as its config file. You could set up a second init script to take care of this for you. In the poweruser config file specify only key based authentication. ( I do hope your requiring passphrases too, or in my opinion key based is LESS secure) In your standard sshd_config specify DenyUsers/Groups for your powerusers. In poweruser config file set AllowUsers/Groups for your power users and DenyUsers for al others.
This would mean however that you power users would need to custom configure their ssh clients to talk to your oddball port. Kind of inconvenient... -- David Ehle Computing Systems Manager CAPP CSRRI rm 077 LS Bld. IIT Main Campus Chicago IL 60616 [EMAIL PROTECTED] 312-567-3751 On Wed, 12 Nov 2003, Adam ENDRODI wrote: > > How can I tell sshd to only accept a particular authentication > method for some users, while letting others to use any methods > they wish? > > One of our servers has two kinds of users: a group of > low-privileged ones and a few power users. The former class > may choose to log in by providing his password, but I want the > latter to use his private key, which I consider a more secure > alternative. On the other hand, they need to retain their unix > password, so I cannot just fill that with garbage. > > I've looked at the recent openssh sources but it didn't seem > to support this kind of distinction. One possibility I can > think of is PAM, but I don't know which module to use. > > Any suggestion would be greatly appreciated. > > bit, > adam > > -- > 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 > finger://[EMAIL PROTECTED] | Some days, my soul's confined > http://www.keyserver.net | And out of mind > Sleep forever > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >