On 02/07/2013 08:33, Grant wrote: >>> My backup user needs a shell on the backup server in order to execute >>> rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in >>> order to SSH in. My authorized_keys file is locked-down. The second >>> field for the user in /etc/shadow is an exclamation point which I >>> think means the user can not log in with a password. Should I take >>> any additional steps to prevent that user from logging in and not >>> being subject to the authorized_keys restrictions? >> >> What about "PasswordAuthentication no"? > > Can that be set for a single user? I have a normal user who needs to > log in via SSH with a password and a backup user who only needs to run > rsync via SSH keys. If not, does the exclamation point in /etc/shadow > prevent the user from logging in without the SSH key?
Depends. The user doesn't have a Unix password, so if the system prompts for one it cannot succeed and the login fails. But sshd has other implementations for authentication to, not just classic Unix. If it uses PAM, then PAM could in theory do anything, even using AD to authenticate with a password. So if your sshd config uses Unix passwords and keys ONLY (this is the norm), then what you describe above does what you want. To be sure, you need to audit sshd_config and your pam setup -- Alan McKinnon alan.mckin...@gmail.com
