Re: Disable SSH passwords per user
Ted wrote: Now I know I can do a Match pattern on User with PasswordAuthentication. You can also Match a group which will be useful if you wish to disable password authentication for more than one user now or to leave the option open in the future. /Lars
Disable SSH passwords per user
Had a quick google and search or marc, but came up with no answers. Is it possible to disable password based logins per user (like with the adduser --disabled-password in linux) on OpenBSD, and therefore have the user only use SSH Keys? I'm aware of the sshd_config setting PasswordAuthentication no which makes this occur system wide. I just wanted to ensure I'm not missing something else, in setting up a single user on a system that doesn't have PasswordAuthentication no set for system wide SSH logins. Maybe using login classes? The reason: I'm trying to setup gitosis (http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst) on an OpenBSD server, but the README is linux centric. -- Ted
Re: Disable SSH passwords per user
2010/1/5 Ted t...@pobox.com: Had a quick google and search or marc, but came up with no answers. Is it possible to disable password based logins per user (like with the adduser --disabled-password in linux) on OpenBSD, and therefore have the user only use SSH Keys? I'm aware of the sshd_config setting PasswordAuthentication no which makes this occur system wide. I just wanted to ensure I'm not missing something else, in setting up a single user on a system that doesn't have PasswordAuthentication no set for system wide SSH logins. Maybe using login classes? The reason: I'm trying to setup gitosis (http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst) on an OpenBSD server, but the README is linux centric. You can use per user rules in sshd_config, just read the man page. -- The best the little guy can do is what the little guy does right
Re: Disable SSH passwords per user
sshd_config(5), look at Match. You may also want to look at command= in sshd(8). And of course you can always set an impossible password hash to prevent password logins... On Tue, Jan 05, 2010 at 11:18:39AM +1100, Ted wrote: Had a quick google and search or marc, but came up with no answers. Is it possible to disable password based logins per user (like with the adduser --disabled-password in linux) on OpenBSD, and therefore have the user only use SSH Keys? I'm aware of the sshd_config setting PasswordAuthentication no which makes this occur system wide. I just wanted to ensure I'm not missing something else, in setting up a single user on a system that doesn't have PasswordAuthentication no set for system wide SSH logins. Maybe using login classes? The reason: I'm trying to setup gitosis (http://eagain.net/gitweb/?p=gitosis.git;a=blob;f=README.rst) on an OpenBSD server, but the README is linux centric. -- Ted
Re: Disable SSH passwords per user
On Tue, Jan 5, 2010 at 11:32 AM, Eugene Yunak e.yu...@gmail.com wrote: You can use per user rules in sshd_config, just read the man page. I've read the man page a number of times, and didn't see that. The closest thing was is AllowUsers, but this is for enabling and disabling logins per user, not limiting a user to SSH Key logins only. But after reading ssh_config manpage, and I note that one can set PasswordAuthentication no in a per-user configuration file ~/.ssh/config The problem with this is the manpage states this file must have strict permissions: read/write for the user, and not accessible by others. This means the user can edit this after logging in, and remove or change the PasswordAuthentication variable. -- Ted
Re: Disable SSH passwords per user
On Tue, Jan 5, 2010 at 11:35 AM, Nicholas Marriott nicholas.marri...@gmail.com wrote: sshd_config(5), look at Match. That's what I was missing. Was reading over that and my mind was reading match for Host or Address only. Now I know I can do a Match pattern on User with PasswordAuthentication. Thanks Nicholas and Eugene. You may also want to look at command= in sshd(8). Looks interesting and may be useful for what I'm setting up. And of course you can always set an impossible password hash to prevent password logins... True. -- Ted