[clue-tech] sshd authorization strategies
Dan Harris
dan at drivefaster.net
Wed Sep 12 16:21:28 MDT 2007
Dan Harris wrote:
> Angelo Bertolli wrote:
>> Dan Harris wrote:
>>> However, I'm not clear how this gets around my initial problem.. I
>>> don't want all accounts to have ssh access, only some, but I don't
>>> want to have to add each user to sshd_config and restart the service
>>> every time ( plus the 256 limit is looming ).
>>
>> Well, I think something like /bin/false as a shell won't allow ssh
>> file tranfers. And I'm pretty sure even rbash doesn't (which is why I
>> ended up having to use rssh). So the default shell for a new user on
>> your system can be something like /bin/false that disallows access.
>> (At least that's how I used to have users without any shell access.)
>>
>> Then you can give scp users rssh.
>>
>> Then you can give full shell users a non-restricted shell, but maybe
>> rssh is good enough for them anyway.
>>
>> The man page says:
>>
>> The allow/deny directives are processed in the following order:
>> DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
>>
>> So right now do you have something like DenyUsers * ?
>>
>> Maybe you can change that to DenyUsers root, and then AllowUsers
>> root at backup
>>
>
> Sounds like a plan! I'll give it a shot. Thanks for your help.
>
> -Dan
Well, I tried those settings and it won't let any user other than
root at backup-server log in. The log says "not allowed because not listed in
AllowUsers". Apparently, if you have anything in AllowUsers, that's all you get.
-Dan
More information about the clue-tech
mailing list