[clue-tech] sshd authorization strategies
Angelo Bertolli
angelo at freeshell.org
Wed Sep 12 15:54:53 MDT 2007
Dan Harris wrote:
> However, I'm not clear how this gets around my initial problem.. I
> don't want all accounts to have ssh access, only some, but I don't
> want to have to add each user to sshd_config and restart the service
> every time ( plus the 256 limit is looming ).
Well, I think something like /bin/false as a shell won't allow ssh file
tranfers. And I'm pretty sure even rbash doesn't (which is why I ended
up having to use rssh). So the default shell for a new user on your
system can be something like /bin/false that disallows access. (At
least that's how I used to have users without any shell access.)
Then you can give scp users rssh.
Then you can give full shell users a non-restricted shell, but maybe
rssh is good enough for them anyway.
The man page says:
The allow/deny directives are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
So right now do you have something like DenyUsers * ?
Maybe you can change that to DenyUsers root, and then AllowUsers root at backup
Angelo
More information about the clue-tech
mailing list