[clue-tech] sshd authorization strategies
Dan Harris
dan at drivefaster.net
Wed Sep 12 16:06:08 MDT 2007
Angelo Bertolli wrote:
> Dan Harris wrote:
>> However, I'm not clear how this gets around my initial problem.. I
>> don't want all accounts to have ssh access, only some, but I don't
>> want to have to add each user to sshd_config and restart the service
>> every time ( plus the 256 limit is looming ).
>
> Well, I think something like /bin/false as a shell won't allow ssh file
> tranfers. And I'm pretty sure even rbash doesn't (which is why I ended
> up having to use rssh). So the default shell for a new user on your
> system can be something like /bin/false that disallows access. (At
> least that's how I used to have users without any shell access.)
>
> Then you can give scp users rssh.
>
> Then you can give full shell users a non-restricted shell, but maybe
> rssh is good enough for them anyway.
>
> The man page says:
>
> The allow/deny directives are processed in the following order:
> DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
>
> So right now do you have something like DenyUsers * ?
>
> Maybe you can change that to DenyUsers root, and then AllowUsers
> root at backup
>
Sounds like a plan! I'll give it a shot. Thanks for your help.
-Dan
More information about the clue-tech
mailing list