On Mon, 2004-10-11 at 20:03 +0100, Stephen Tait wrote: > This is somewhat tangential to my other thread, which is by-and-large > sorted now, but I thought it might be worth a repost since it is an > entirely different problem. > > I have a bunch of users that have now been set up to use SSH keys for all > login purposes; however, they currently have password based auth as well, > and I'm unsure how to turn it off just for these users, and googling for it > has so far netted me a whole load of gumpf with little or no relation to this. > > Is it just a simple matter of deleting the appropriate entries (i.e. > changing sync:$1$6dsbjkfdbfjkdbfdjkdbkjgobbeldekgook:34692:0:999999:7::: to > sync:*: etc etc...) in /etc/shadow and /etc/shadow-?It would seem likely, > but I'm loathe to do it in case I b0rk the whole system up. And do I need > to modify shadow and shadow-? I m unsure of how these two files relate to > one another.
Here is another perfect example of using PAM. PAM is flexible enough to be used for SSH Key Auth Only (no password auth) and Still yet allowing password based authentication for other users, as well as SSH password and Key auth. I am busy making plans for a production move, but this is one of those things that PAM was originally designed around (well okay, re-designed around). It should be a matter of enumerating a group with the user and setting restrictions on the group in PAM for system-auth or something similar that everything uses. Given that you could even set the passwords for them to "*" and still get key-only authentication given this kind of config. Also remember First rule that applies wins in PAMs setup. Testing first is the utmost import. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux
signature.asc
Description: This is a digitally signed message part
