You don't say what system you are using as the server. If it is Linux or
Solaris look at PAM. This allows you to use kerberos, ldap, etc. I will say,
you may have to write your own pam authentication module and make sure ssh was
compiled with pam support. Then point the pam entries for sshd to your module
that checks some place other than /etc/passwd.
Not sure what you could do on other systems that don't have pam.
--Dave
>Date: Wed, 21 Mar 2001 17:22:01 -0600
>From: Kelly Corbin <[EMAIL PROTECTED]>
>User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.0 i686; en-US; m18) Gecko/20010131
Netscape6/6.01
>X-Accept-Language: en
>MIME-Version: 1.0
>To: Blue Lang <[EMAIL PROTECTED]>
>Cc: [EMAIL PROTECTED]
>Subject: Re: Authentication without /etc/passwd
>Content-Transfer-Encoding: 7bit
>
>Thanks for the response.
>
>Blue Lang wrote:
>
>> On Wed, 21 Mar 2001, Kelly Corbin wrote:
>>
>>
>>> Is it possible to do authentication by some other means other than
>>> /etc/passwd or system login? I know this sounds weird, but I want to
>>> allow various logins in ssh, but not give them regular system access.
>>
>>
>> yes. you can use host-based or key-based authentication. i've never heard
>> of anyone using a different password file or NCSA or anything like that
>> without hackage.
>
>That's exactly what I'm talking about; using a different password file
>or some other externally controlled mechanism such as a database, etc.
>
>
>>
>>
>>> SSH2 makes it possible to run FTP over SSH for secure FTP connections,
>>> but now that that security hole has been eliminated (clear text
>>> passwords) in my system I want to make it even more secure. ProFTPD
>>
>>
>> if you're talking about sftp, then, no, it doesn't. i assume you're
>> actually talking about tunnelled ftp?
>
>Yes, tunneled ftp.
>
>>
>>
>>> This way I could chroot a user to a particular directory in FTP, but
>>> they wouldn't have a normal system login so they couldn't ssh in like a
>>> normal system user.
>>
>>
>> you can chroot users w/ssh. check the included docs.
>
>Chroot is not enough. I don't even want them to have a shell; too many
>opportunities for exploits. FTP access to the system only (even then,
>many FTP servers are riddled with latent security issues). Regular
>system users can shell in OK, I don't care about them. I want to
>severely restrict all other users. Specifically, I want my web users to
>be able to update their sites, but not have any other access to the system.
>
>
>
>--
>--------------------------------------------
>-- Kelly Corbin
>-- Systems Administrator
>--
>-- http://www.theiqgroup.com
>--
>-- The IQ Group, Inc.
>-- 6740 Antioch Suite 110
>-- Merriam, KS 66204
>-- (913)-722-6700
>-- Fax (913)722-7264
>--------------------------------------------
>
--
David Knight French
Black Mountain Computer Consulting
Voice: (858)279-4862
Email: [EMAIL PROTECTED]
